A serious vulnerability that previously permitted unauthorised access to passengers' travel records and allowed changes to nominee information in the insurance policy has been fixed by the Indian Railway Catering and Tourism Corporation (IRCTC) on its insurance portal.
The IRCTC insurance portal had a serious vulnerability that exposed sensitive passenger data, including travel plans and contact information. Even though the problem was discovered on the third-party managed insurance site, IRCTC, the custodian, was impacted by privacy and data security issues.
Nilabh Rajpoot of Noida, a cybersecurity researcher, identified the bug after booking train tickets on the IRCTC website and opting for travel insurance. He received a link via SMS that, upon entering the PNR and registered mobile number, opened the travel insurance policy provided by United India Insurance. The link included an option to update nominee details.
Driven by his curiosity and hacker instincts, Rajpoot investigates the potential data leaks on the portal. By putting random PNRs and fictitious mobile phone numbers, he found that the portal revealed passengers’ travel details, such as journey date, train number, berth/seat, email, mobile phone, and insurance policy information. The portal was also providing the option of modifying the nominee details without requiring an OTP or security question.
“I entered hundreds of random PNRs and mobile phone numbers and accessed passengers’ travel/insurance details. Although the link issued an alert that the mobile number did not exist, it still provided the passenger data. I immediately reported the issue on July 23, 2024, to the Computer Emergency Response Team – India (CERT-In), which communicated the vulnerability to the relevant organisation,” Rajpoot told a news daily.
In a reply, CERT-In said the concerned organisation had confirmed that the vulnerability had been fixed and requested him to verify at his end.
Rajpoot focuses on identifying and mitigating security risks through routine assessments of various online portals. “In this case, unauthorised individuals could access and modify policyholders’ details, including nominee information. We must protect sensitive information from fraudulent access and manipulation,” he said.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
