Did IRCTC bug leave 2 lakh passengers' information exposed to hackers for 2 years?

The free travel insurance that the Indian Railway Catering and Tourism Corporation (IRCTC) was mandatorily offering till September 1, reportedly left around two lakh passengers vulnerable to hacking attack. And the body handling the online ticketing operations of the Indian Railways learnt about this security vulnerability less than a month before it decided to take back the provision of free insurance.

According to The Economic Times, in August, security researcher Avinash Jain discovered the bug in IRCTC's website and mobile app link that connects to a third-party insurance company for free travel insurance. The latter, introduced in December 2016 to encourage customers to book their tickets online, entailed IRCTC sharing passenger details of all travellers with third-party insurers to take the cover.

The bug would have given hackers unfettered access to passenger details such as name, age, gender and insurance nominees without their knowledge or consent. Given that the IRCTC handles a huge number of e-tickets daily, this bug could have led to a massive data breach.

As per IRCTC's annual report for 2016-17, e-ticketing accounted for 62% of reserved railway tickets in India, with more than 573,000 tickets sold daily through the IRCTC website. The daily could not verify whether any data had been compromised during the nearly two years that IRCTC was clueless about the vulnerability.

"Within 10 minutes (after finding the bug) we were able to read almost 1,000 passenger and nominee information," Jain told the daily. On August 14, he wrote to IRCTC alerting them about the problem, which was acknowledged and fixed on August 29. That's just two days before the Indian Railways decided to discontinue offering free mandatory travel insurance and instead allow travellers to choose to pay for the same.

Till September 1, after booking a ticket on IRCTC's website or mobile app, passengers had to fill nominee details at the respective insurance company website, generating an encrypted transaction ID. "To get the personal details of a traveller, we needed a valid combination of the transaction ID and passenger name record (PNR) number," said Jain, who has reported critical security vulnerabilities and been rewarded by NASA, Google, and Paytm, among others. "We were able to fetch details of any passenger by decoding the encrypted data (transaction ID/PNR) through brute force." The 10-digit PNR number, which is a record of a person in the database of a computer reservation system, was also obtainable through the brute force technique.

"There are three companies offering rail travel insurance, and we found vulnerabilities in the linkage to only Shriram General Insurance," Gurunatha Reddy Gopireddy, co-researcher in the disclosure, told the daily. Links to the other two insurance companies, ICICI Lombard General Insurance and Royal Sundaram General Insurance, did not carry the same bug.

The Indian Computer Emergency Response Team (CERT-In), the agency that handles cybersecurity threats, had 53,081 reported incidents in the country in 2017. According to Jain, less than 1% of the reporting to CERT-In comes from security researchers. "Responsible disclosure of flaws is not rewarded by the government," said Jain, adding that Indian researchers received over $1.8 million in bounties last year.

(Edited by Sushmita Choudhury Agarwal)