School student caught the flaw in IRCTC website, could have leaked customer data

A school student caught a glitch on IRCTC’s e-ticketing platform, which was likely to leak customer data. IRCTC rectified this after a class 12 student from Chennai issued a warning about the presence of Insecure Direct Object Reference (IDOR) on the booking site.

A senior official said on Tuesday that the IT department of the Indian Railway Catering and Tourism Corporation (IRCTC) immediately took cognizance of the complaint and resolved the issue. The complaint came to the fore on August 30 and it was rectified on September 2, the official said. Now our e-ticketing system is completely secure.

P Renganatham, a class 12 student studying in a private school in Tambaram here, said that when he was trying to book tickets on August 30, he saw this problem (IDOR) on the website, which leaks the details of the transfer of lakhs of passengers. This is a very common problem.

He immediately informed the Indian Computer Emergency Response Team (CERT-In) about this. He said in an email complaint to CERT-In, which works under the Ministry of Electronics and Information Technology that through this one can also cancel someone else’s ticket and collect sensitive information.