Indian Railway Catering and Tourism Corporation (IRCTC), the public sector company which sells nearly 5 lakh tickets a day through its website and mobile app, is putting the data of lakhs of commuters at risk, according to cybersecurity experts.
In December 2016, the Indian Railways started giving accidental insurance cover at nominal rates (less than a rupee) to passengers who booked their tickets online.
Cybersecurity researchers Aseem Shrey and Avinash Jain found that the websites of two of these providers, Bajaj Allianz and Liberty General Insurance, expose passenger and nominee details due to a vulnerability called IDOR.
Insecure direct object references (IDOR) is a vulnerability "through which an attacker can directly access the objects (data) belonging to other users by bypassing the access control mechanism in place." It is one of the most common and impactful security vulnerabilities, Jain said.
The Quint has emailed the Indian Computer Emergency Response Team (CERT-In) and IRCTC about the alleged vulnerability, but we haven't received a response yet.
What Data Is at Risk?
The researchers found that the following details were available through this vulnerability:
Passenger's full name
Journey details
Mobile number
Gender and age
Insurance nominee's name, age and relationship
Shrey and Jain said that just by changing a number in the website APIs, they were able to access passenger and nominee details and were even able to change or modify them.
"Both of their APIs are not protected by any rate-limiting, information about passengers is accessible without any proper protection mechanism. Within three minutes, we were able to read almost 1000 passengers' information."Aseem Shrey and Avinash Jain
Rate limiting is a mechanism which helps slow down the rate at which information requests can be made to the server. Not having rate limiting allowed the researchers to make requests to the vulnerable endpoint at very rapid rate and access the data en masse, they said.
"The simplicity of this vulnerability and its impact makes it highly critical. We could have access to millions of passenger information in a few hours. This could be potentially one of the largest data breaches in IRCTC again."Aseem Shrey and Avinash Jain
'This Has Happened Before'
A different insurance vendor linked with IRCTC had the exact same vulnerability that was patched after Jain reported it to CERT-In, the nodal agency under the Union Ministry of Electronics and Information Technology to deal with cyber security threats, in 2018, he told The Quint.
He said this was happening again because IRCTC doesn't carry out stringent security testing while onboarding vendor and integrating their APIs.
API is the acronym for Application Programming Interface – a software that allows two applications to talk to each other.
The kind of data that is allegedly being exposed due to this vulnerability could leave lakhs of people susceptible to phishing scams and doxxing.
Doxxing involves looking up the details of people’s lives, usually by digging through their social media profiles, publicly available data, government records, and even comments across old and defunct message boards.
While snippets of this information might be irrelevant individually, put together, they can cause real harm. They can be misused to threaten, harass, or stalk you.
The researchers said that they hope this report will be a wake up call for the government to improve and "strengthen its commitment to responsible data practices."
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)