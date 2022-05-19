Indian Railway Catering and Tourism Corporation (IRCTC), the public sector company which sells nearly 5 lakh tickets a day through its website and mobile app, is putting the data of lakhs of commuters at risk, according to cybersecurity experts.

In December 2016, the Indian Railways started giving accidental insurance cover at nominal rates (less than a rupee) to passengers who booked their tickets online.

Cybersecurity researchers Aseem Shrey and Avinash Jain found that the websites of two of these providers, Bajaj Allianz and Liberty General Insurance, expose passenger and nominee details due to a vulnerability called IDOR.

Insecure direct object references (IDOR) is a vulnerability "through which an attacker can directly access the objects (data) belonging to other users by bypassing the access control mechanism in place." It is one of the most common and impactful security vulnerabilities, Jain said.

The Quint has emailed the Indian Computer Emergency Response Team (CERT-In) and IRCTC about the alleged vulnerability, but we haven't received a response yet.