Login
Business
Entertainment
World
Health
Environment
Lifestyle
National
Science
Sports
World
Movies
Web Series
Technology
Cricket
Coronavirus
Auto
Ajab Ghazab
Finance
India
International
Religious
Politics
Home Articles Nike Lenovo Upstox
Indias largest e-ticketing platform fixes bug after school student raises alarm \
3 min read
\
\

Indias largest e-ticketing platform fixes bug after school student raises alarm

 21-Sep-2021
Chennai Sept 21 PTI The Indian Railway Catering and Tourism Corporation Ltd IRCTC fixed a bug on its e-ticketing platform after a plus two lad from the city raised an alarm over the presence of Insecure direct object references IDOR - a type of access control vulnerability in the booking siteThe IT wing of the IRCTC which took note of the complaint immediately resolved the vulnerability issue that has been reported a senior official said on TuesdayOur e-ticketing system is well protected now The issue was reported on August 30 and it was fixed on September 2 he addedThe IDOR a type of access control vulnerability arises when an application uses user-supplied input to access objects directlyI accidently discovered a critical IDOR that leaks the transaction details of millions of travelers when I was trying to book tickets on August 30 It was the most common bug Immediately I reported about it to the Indian Computer Emergency Response Team CERT-In P Renganathan a plus two student of a private school in Tambaram here saidIve discovered a critical IDOR that leaks the transaction details of millions of travelers Go to your account ticket history click on any ticket with burp suite turned on Now change the transaction ID to gain access to anothers tickets you will get all the sensitive details You can also cancel someones ticket or do anything malicious he said in an email complaint to CERT-In under the Union Ministry of Electronics and Information TechnologyAs a mitigation Renganathan who identifies himself as ethical hacker and cyber security researcher said that the booked user and ticket should be validated so that no one else can access it except the booked userOn September 11 2021 he received a mail thanking him for reporting the incident to CERT-In and also a confirmation that the reported vulnerability has been resolved by the authorities concernedRenganathan currently pursuing commerce group has been acknowledged by LinkedIn United Nations BYJUs Nike Lenovo Upstox for reporting security vulnerabilities in their web applicationsSchools across Tamil Nadu re-opened only for classes ninth to twelfth on September 1 I have opted for online classes owing to the pandemic he said PTI JSP ROH ROH
21-Sep-2021 National
\