Table of Contents
IRCTC plugs critical data breach on insurance portal
A cybersecurity analyst had flagged vulnerability that gave access to travel details of passengers and also option to change nominee in travel insurance
CERT-In said the concerned organisation had confirmed that the vulnerability had been fixed and requested him to verify at his end.
| Photo Credit: Special Arrangement
The Indian Railway Catering and Tourism Corporation (IRCTC) has addressed a critical vulnerability on its insurance portal that previously allowed unauthorised access to passengersā travel details and enabled changes to nominee information in the insurance policy.
Cybersecurity researcher Nilabh Rajpoot of Noida discovered the bug after booking train tickets on the IRCTC website and opting for travel insurance. He received a link via SMS that, upon entering the PNR and registered mobile number, opened the travel insurance policy provided by United India Insurance Co Ltd. The link included an option to update nominee details.
Cost of data breaches in India hits all-time high in FY24: IBM
Mr. Rajpootās curiosity and hacker instincts led him to investigate potential data leaks on the portal. By entering random PNRs and fictitious mobile phone numbers, he found that the portal revealed passengersā travel details, such as journey date, train number, berth/seat, email, mobile phone, and insurance policy information. Shockingly, the portal allowed modification of nominee details without requiring an OTP or security question.
Random PNRs
āI entered hundreds of random PNRs and mobile phone numbers and accessed passengersā travel/insurance details. Although the link issued an alert that the mobile number did not exist, it still provided the passenger data. I immediately reported the issue on July 23, 2024, to the Computer Emergency Response Team ā India (CERT-In), which communicated the vulnerability to the relevant organisation,ā Mr. Rajpoot told The Hindu on Sunday.
In a reply on July 30, 2024, CERT-In said the concerned organisation had confirmed that the vulnerability had been fixed and requested him to verify at his end.
How to spot fake websites and avoid scam
The vulnerability on the IRCTC insurance portal was significant as it exposed sensitive passenger information, including journey and contact details. Although the issue was found on the insurance portal managed by a third party, the data security and privacy concerns affected IRCTC as the custodian.
Mr. Rajpoot focuses on identifying and mitigating security risks through routine assessments of various online portals. āIn this case, unauthorised individuals could access and modify policyholdersā details, including nominee information. We must protect sensitive information from fraudulent access and manipulation,ā he said.
Read Comments
- Copy link
- Telegram
READ LATER
Remove
SEE ALL
PRINT
Related Topics
railway
/
indian railways