Sunday, May 19, 2024

IRCTC Website Flaw Allow Hackers to Access All Your Private Info & Cancelling Booked Tickets

A new bug discovered in IRCTC website allows attackers to gain access to the lakhs of users private information and alter the sensitive data include cancelling the booked ticket.

IRCTC (Indian Railway Catering and Tourism Corporation) is a part of Indian Railway and one of the busiest Railway booking system in the world that manages around 15 to 16 lakh tickets every day.

An Indian Security researcher Ronnie T Baby who discovered this critical vulnerability in the password reset option that used in IRCTC.

During the process of login, When input the user id, an OTP gets automatically sent to the registered mobile number of the account. 

In this case, Ronnie said, “Though there was captcha enabled to prevent brute-forcing of the OTP’s, it surprisingly allowed the reuse of captchas for unlimited requests.”

Cancelling IRCTC Booked Tickets

Initially targetted user ID is required to exploit the bug and it is not a big deal to found the variety of user ID online, here you can see some of Top 100 common names in India.

If any users try to reset their password, 6 random character OTP gets generated and send it the users registered mobile number.

Researcher said, “After a little observation I found that, there is indeed rate limiting to the amount of OTP being sent (it will say that your account has exceeded the OTP limits for the day…). But here the issue was the reuse of valid captchas”

Since the OTP contains a 6 digit corrector, attackers can easily validate the OTP using a variety of brute force tools available online for the maximum checking count of 999999.

During the process of OTP Validation, a parameter called “seqAns ” helps to validates if the OTP matches the one sent on mobile number. 

Ronnie said to “GBHackers on Security” via Email, I could have hacked lakhs of IRCTC accounts and get access to all your private info including easily cancelling booked tickets by repeated request while changing the value of seqAns to reset the password and login to IRCTC user account after observing that correct OTP.”

Here you can see the Proof of concept video that was published online.


Ronnie reported this vulnerability to IRCTC and the bug was fixed by proper captcha verification.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

Rail Operator website Hacked and Hackers asked to Pay Ransom in Bitcoins

Massive DDOS Attack on Denmark Railway System that Make Impossible to Buy a Train Ticket


Website

Latest articles

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...

Millions Of IoT Devices Vulnerable To Attacks Leads To Full Takeover

Researchers discovered four significant vulnerabilities in the ThroughTek Kalay Platform, which powers 100 million...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles