advertisement
Indian Railway Catering and Tourism Corporation (IRCTC), the public sector company which sells nearly 5 lakh tickets a day through its website and mobile app, is putting the data of lakhs of commuters at risk, according to cybersecurity experts.
In December 2016, the Indian Railways started giving accidental insurance cover at nominal rates (less than a rupee) to passengers who booked their tickets online.
Cybersecurity researchers Aseem Shrey and Avinash Jain found that the websites of two of these providers, Bajaj Allianz and Liberty General Insurance, expose passenger and nominee details due to a vulnerability called IDOR.
Insecure direct object references (IDOR) is a vulnerability "through which an attacker can directly access the objects (data) belonging to other users by bypassing the access control mechanism in place." It is one of the most common and impactful security vulnerabilities, Jain said.
The Quint has emailed the Indian Computer Emergency Response Team (CERT-In) and IRCTC about the alleged vulnerability, but we haven't received a response yet.
The researchers found that the following details were available through this vulnerability:
Passenger's full name
Journey details
Mobile number
Gender and age
Insurance nominee's name, age and relationship
Shrey and Jain said that just by changing a number in the website APIs, they were able to access passenger and nominee details and were even able to change or modify them.
Rate limiting is a mechanism which helps slow down the rate at which information requests can be made to the server. Not having rate limiting allowed the researchers to make requests to the vulnerable endpoint at very rapid rate and access the data en masse, they said.
A different insurance vendor linked with IRCTC had the exact same vulnerability that was patched after Jain reported it to CERT-In, the nodal agency under the Union Ministry of Electronics and Information Technology to deal with cyber security threats, in 2018, he told The Quint.
API is the acronym for Application Programming Interface – a software that allows two applications to talk to each other.
The kind of data that is allegedly being exposed due to this vulnerability could leave lakhs of people susceptible to phishing scams and doxxing.
Doxxing involves looking up the details of people’s lives, usually by digging through their social media profiles, publicly available data, government records, and even comments across old and defunct message boards.
While snippets of this information might be irrelevant individually, put together, they can cause real harm. They can be misused to threaten, harass, or stalk you.
The researchers said that they hope this report will be a wake up call for the government to improve and "strengthen its commitment to responsible data practices."
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)