Trending
Teen Bounty Hunter From Chennai Assists Railways Fix Major Bug In Ticketing Portal
CHENNAI: P Renganathan, like all teenagers, spends a lot of time online, but what he does is very unique. In his spare time, the 17-year-old Class 12 student from Chennai works as a bug bounty hunter.
A youngster from a city school assisted the Indian Railway Catering and Tourism Corporation (IRCTC) in fixing a problem on its online ticketing platform that could have exposed the personal information of millions of travellers.
He was able to view the journey data of other passengers thanks to the website’s significant Insecure Object Direct References (IDOR) vulnerability.
Acting on his warning, the Computer Emergency Response Team, India, informed the IRCTC of the vulnerability, which was rectified, preventing a possible hacking of the country’s largest online ticketing platform.
HOW THIS HAPPENED
P. Renganathan (17), a Standard 12th student at a private school in Tambaram, Chennai, was booking a railway ticket a few days ago by login into the IRCTC portal when he discovered specific weaknesses that may undermine the security safeguards.
The website’s significant Insecure Object Direct References (IDOR) vulnerability allowed him to view other passengers’ journey details such as name, gender, age, PNR number, train details, departure station, and date of journey.
“Because the back-end code is identical, a hacker could buy food, modify the boarding station, and even cancel the ticket without the knowledge of the genuine passenger.
Other services, such as domestic/international tourism, bus tickets, and hotel bookings, would have been available in other passengers’ user profiles. Most crucially, there was a chance that a massive database containing millions of passengers would be leaked,” Renganathan explained.
On August 30, 2021, he reported the vulnerability to the CERT, India, which quickly created a ticket. According to Renganathan, the bug was patched and recognised by the IRCTC five days later.
According to the adolescent, he has received recognition from LinkedIn, the United Nations, Nike, and Lenovo, among others, for disclosing security flaws in their web programmes.
Renganathan wants to pursue a career in Computer Science while continuing independent research on the security of web applications.
Follow The420.in on
Telegram | Facebook | Twitter | LinkedIn | Instagram | YouTube