Exposing Millions of IRCTC Passengers' ticket details.
Hi There,
Renganathan Here, I’m an Ethical Hacker & a Security researcher.
I’ve been acknowledged by LinkedIn, United Nations, BYJU’s, Nike, Lenovo, Upstox for reporting security vulnerabilities in their web applications.
What’s IRCTC?
IRCTC, India’s largest online ticketing operations site which runs one of the largest e-commerce sites, has around 30 million registered users with around 550,000 to 600,000 bookings every day makes it the world’s second-busiest traveling portal generating revenue of $20 million every year (Source: Wiki)
While I was booking a ticket as a normal human I suddenly got an idea to test for vulnerabilities.
So the first vulnerability that came to my mind was IDOR. Here are the steps to reproduce.
- Login to your IRCTC account
- Go to My account > My Transactions > Booked Ticket History.
3. So there were below tickets that gets expanded on click
I used burp suite, turned on the interception, and saw a below-get request.
GET /eticketing/protected/mapps1/historySearchByTxnId/XXXXXXXXXX48?currentStatus=N HTTP/1.1
Host: www.irctc.co.in
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.irctc.co.in/nget/txn/my-transactions?page=Booked%20Ticket%20History&eWallet=falseI tried for IDOR and decreased the number of the transaction ID and forwarded the packet.
And Yeah! I got a random user’s transaction and ticket details like Train Number, Departure time, Duration of the journey, PNR number, Status of the ticket, Boarding station, Passenger's information like their names, seat details, gender & age.
Since the backend code is the same so It’s also vulnerable to Cancelling the ticket, Changing the boarding point, Ordering food, booking a hotel, tourist package, and even Booking a bus.
I immediately recorded a POC & reported it to incident@cert-in.org.in
POC:
TimeLine:
Aug 30, 2021, 12:45pm: Reported
Aug 30, 2021, 1:30 pm: A ticket was assigned.
Sept 4, 2021: The issue was resolved (retested)
Sept 11, 2021: Acknowledged by IRCTC.
Thanks for reading :)
Stay Safe.
