The Indian Railway Catering and Tourism Corporation (IRCTC) has stated that there is no chance of cancelling a train ticket by using a different user identity and password.
Referring to a report titled “Teen flags bug in IRCTC’s system” published in these columns on September 21, 2021, IRCTC’s spokesperson Anand Kumar Jha said that there was no scope to cancel a ticket or change the boarding station etc. by taking advantage of a vulnerability since the functionalities were user profile specific.
But, he said the issue of accessing the transaction details by changing the transaction identity had been fixed on second September 2, 2021. IRCTC website is well secured and subjected to third-party security audits, he added.
However, P. Renganathan (17), Chennai-based XII Standard student who flagged the issue had written to the the Computer Emergency Repose Team stating that he had discovered a critical vulnerability that leaked the transaction details of millions of travellers.
Explaining how the private data could be accessed, Renganathan said that by changing the transaction identity one could gain access to others travel details. “You will get all the sensitive details. You can also cancel someone’s ticket or do anything malicious,” he said.
To this, CERT thanked the teenager and confirmed by email that the vulnerability had been fixed.
