IRCTC reportedly fixed a major security bug after almost two years, according to ET. The vulnerability said to have exposed at least 2,00,000 (2 lakh) passengers and their nominee details to attackers, although it is not confirmed if the data was actually accessed or not.
According to the report, the vulnerability was found in IRCTC’s website and mobile app link that connects to a third-party insurance company for free travel insurance. A service that IRCTC introduced in December 2016.
The free travel insurance was mandatory for everyone who booked tickets through IRCTC’s website or mobile app. The travel insurance meant that passenger details along with nominee will be shared with the third-party insurance company for insurance cover.
Interestingly, the security bug was reported by a security researcher Avinash Jain two months back in August 2018 (dated August 14) and IRCTC took cognizance of the matter by fixing it on August 29.
“Within 10 minutes (after finding the bug) we were able to read almost 1,000 passenger and nominee information,” Jain told ET.
While IRCTC roughly handles about 6,00,000 (6 lakh) ticket bookings daily, Jain estimated at least 2,00,000 (2 lakh) passengers and their nominee details were left exposed because of one insurance company out of three had the vulnerability left open.
“There are three companies offering rail travel insurance, and we found vulnerabilities in the linkage to only Shriram General Insurance,” co-researcher, Gurunatha Reddy Gopireddy told ET.
Apparently, the other two insurance companies, ICICI Lombard General Insurance and Royal Sundaram General Insurance, did not carry the same bug. Other interesting thing is that IRCTC fixed the bug on August 29, but it stopped free mandatory travel insurance from September 1, allowing users to instead opt-in or opt-out of travel insurance.