Critical flaw found on IRCTC website that allowed attackers to cancel any booked ticket

The issue was reported to IRCTC on January 19, 2019, and in about less than a month, IRCTC fixed the problem.

  • Updated: February 23, 2019 12:43 PM IST
IRCTC security flaw

Image credit: Ronnie T Baby

IRCTC or Indian Railways Catering and Tourism Corporation, the subsidiary of Indian Railway and run by Ministry of Railway is the cornerstone of affordable travel in India. The subsidiary is used by hundreds of thousands of users to book tickets as an increasing number of Indians get on the internet. Keeping up with the trend, IRCTC has a functioning website along with a dedicated mobile app to book and manage tickets. Given the large number of users that are dependent on the website, any security flaw that affects the website or the service is bound to have far-reaching implications for all IRCTC users.

According to a new report, a major security flaw was discovered in the website by Ronnie T Baby, a security researcher. The alarming part about the flaw was that it was relatively easy to exploit by anyone who knew what they were doing. The flaw allowed hackers to access lakhs of IRCTC accounts to cancel booked tickets. According to a detailed post by the researcher on LinkedIn, the bug was discovered in the password reset option. According to the details of the flaw, which was initially reported by FossBytes, password reset option required users to put their IRCTC user ID and then your device receives an OTP message to change the password.

The OTP field was protected by a captcha challenge, a field where you need to enter whatever was visible in the picture. The captcha challenge ensured that nobody could find the OTP with the help of a brute-force attack where a program would enter random numerical OTPs to guess the correct one. The flaw here allowed anyone to reuse any existing valid OTP for unlimited password requests.

According to the post, the researcher was able to brute-force the OTP and then log in to the IRCTC account giving access to details including address, and booked tickets. This also gave him the ability to cancel any booked tickets. The only requirement for this to work was that the user should know the user id of the IRCTC account which can easily be guessed.

The important thing to note here is that the issue was reported to IRCTC on January 19 and then in about less than a month, IRCTC fixed the problem on February 12 with a proper captcha verification.

  • Published Date: February 23, 2019 12:43 PM IST
  • Updated Date: February 23, 2019 12:43 PM IST