Bug in IRCTC app can let anyone cancel your booked ticket if exploited

By: The Mobile Indian network, New Delhi Last updated : June 12, 2019 9:04 pm

A security researcher found a major security vulnerability that if exploited would have allowed an attacker to have cancelled a booked ticket on train-ticketing site IRCTC. The flaw, if remained unfixed could have allowed any hacker to access personal details like address and phone number of any of the million users.

We had just recently listed how you can keep yourself and your data secure after instances where mobile threats have started to pop up in abundance, compromising the security of users, organisations or the functioning of a government. To add to the concerns revolving around privacy and security, here we have another flaw in one of the most used and popular portals in India - the Indian Railway Catering and Tourism Corporation or simply put, IRCTC. 


A security researcher by the name Ronnie T Baby has now found a major flaw inside the new IRCTC website which was revamped with an improved design in May last year. The researcher found a major security vulnerability that if exploited would have allowed an attacker to have cancelled a booked ticket. Not just that, the flaw could have also allowed any hacker to access the personal details like address and phone number of any of the million users who would have logged in to the Indian Railways site. 


The IRCTC bug was spotted inside the site’s password reset option which like any other website allowed a user to receive and enter an OTP that’s sent to their registered mobile number. The catch here was that while IRCTC had set up captchas to not allow brute-forcing the OTPs, it by mistake allowed the reuse of the same captchas on an unlimited basis. 


The technique thus enabled the researcher to try out several OTPs and brute-force the OTP mechanism after which he was able to enter anyone’s IRCTC account. The hack, while being straightforward and simple, was, however, not noticeable to a non-suspicious user. But if the extent of the hack were left to be exploited, the personal details of millions of IRCTC users would have been left exposed. You were even allowed to cancel an actually booked ticket if you had the means to exploit the bug. 


The brute-forcing of the OTPs was possible because users were allowed to repeatedly use the same captchas. Apart from that, the OTPs sent by the IRCTC website were a mere 6-digit numeric code which could be anything from ‘000000’ to ’999999’, thus allowing a user with a maximum of 999999 attempts to log in to the account. This kind of OTP brute-forcing isn’t that big of a deal since anyone can easily utilise a brute-forcing tool like Burp that could easily break into a site like IRCTC. 


The researcher has put up a timeline of the proceedings since he first discovered reported the presence of such a bug on the IRCTC which was last month. The issue has since been fixed but IRCTC took a little less than a month to process the necessary patches inside the captcha verification mechanism. All of this only begs the question, if there exists a perfect system which is free from a major vulnerability and is also run by the government. We hope to live when such a day exists. 


In the last couple of months itself, there have been many instances of security breaches, the most recent of them when the Jharkhand government was found responsible for exposing Aadhaar numbers and information of its 166,000 employees. It was also found that scammers have now started using Google Translate’s domain to carry out phishing attacks. We also reported that Google recently fixed a flaw in Android which allowed attackers to execute malicious codes by sending an image file. Another example is when the Dark web exposed accounts of as much as 617 million users across 16 popular websites.


You might like this



Login with

Mobile Finder