BOOM

Trending Searches

    SUPPORT
    BOOM

    Trending News

      • Fact Check 
        • Fast Check
        • Politics
        • Business
        • Entertainment
        • Social
        • Sports
        • World
      • Law
      • Explainers
      • News 
        • All News
      • Decode 
        • Impact
        • Scamcheck
        • Life
        • Voices
      • Media Buddhi 
        • Digital Buddhi
        • Senior Citizens
        • Videos
      • Web Stories
      • BOOM Research
      • BOOM Labs
      • Deepfake Tracker
      • Videos 
        • Facts Neeti
      • Home-icon
        Home
      • About Us-icon
        About Us
      • Authors-icon
        Authors
      • Team-icon
        Team
      • Careers-icon
        Careers
      • Internship-icon
        Internship
      • Contact Us-icon
        Contact Us
      • Methodology-icon
        Methodology
      • Correction Policy-icon
        Correction Policy
      • Non-Partnership Policy-icon
        Non-Partnership Policy
      • Cookie Policy-icon
        Cookie Policy
      • Grievance Redressal-icon
        Grievance Redressal
      • Republishing Guidelines-icon
        Republishing Guidelines
      • Fact Check-icon
        Fact Check
        Fast Check
        Politics
        Business
        Entertainment
        Social
        Sports
        World
      • Law-icon
        Law
      • Explainers-icon
        Explainers
      • News-icon
        News
        All News
      • Decode-icon
        Decode
        Impact
        Scamcheck
        Life
        Voices
      • Media Buddhi-icon
        Media Buddhi
        Digital Buddhi
        Senior Citizens
        Videos
      • Web Stories-icon
        Web Stories
      • BOOM Research-icon
        BOOM Research
      • BOOM Labs-icon
        BOOM Labs
      • Deepfake Tracker-icon
        Deepfake Tracker
      • Videos-icon
        Videos
        Facts Neeti
      Trending Tags
      TRENDING
      • #Operation Sindoor
      • #Pahalgam Terror Attack
      • #Narendra Modi
      • #Rahul Gandhi
      • #Waqf Amendment Bill
      • #Arvind Kejriwal
      • #Deepfake
      • #Artificial Intelligence
      • Home
      • News
      • Not A First: IRCTC Insurance Portal...
      News

      Not A First: IRCTC Insurance Portal Bug Exposed Passenger Details

      Cybersecurity researcher Nilabh Rajpoot discovered a major security flaw on the IRCTC insurance portal, which allowed unauthorised access to passenger travel details.

      By - Hera Rizwan |
      Published -  7 Aug 2024 12:31 PM IST
    • Boomlive
      Listen to this Article
      Not A First: IRCTC Insurance Portal Bug Exposed Passenger Details

      Cybersecurity Researcher Uncovers Major Security Flaw in IRCTC Portal

      • Nilabh Rajpoot found a significant security vulnerability in the IRCTC insurance portal, which allowed unauthorised access to passengers' travel and insurance details.
      • The flaw revealed sensitive information such as journey date, train number, berth/seat, email, mobile phone, and insurance policy details.
      • In December 2022, a significant data leak affected about 3 crore individuals, and a similar bug was reported in 2018.

      Nilabh Rajpoot, a cyber security researcher, was booking his train ticket via IRCTC portal when he discovered a significant security flaw. The bug was found in its insurance portal that permitted unauthorised access to passengers’ travel details and allowed modifications to nominee information in the insurance policy.

      The IRCTC portal, or Indian Railway Catering and Tourism Corporation portal, is an online platform operated by IRCTC, a subsidiary of Indian Railways. It serves multiple functions including ticket booking, tourism services, ticket cancellation and viewing PNR status.

      IRCTC provides a travel insurance programme at a minimal premium of just 35 paise per passenger, offering insurance protection. This option is available exclusively during the train ticket booking process on the IRCTC website or app.

      After booking the ticket, Rajpoot received two text messages. While one mentioned his seat number, coach and PNR, another message provided him with a link to update nominee details on the insurance portal.

      A nominee for insurance is a person designated by the policyholder to receive the insurance benefits in the event of the policyholder's death or other covered events. The nominee can be a family member, relative, friend, or anyone the policyholder chooses.

      The travel insurance policy, provided by the United India Insurance Co. Ltd. via the IRCTC portal, can be accessed by entering the individual's PNR and registered mobile number. After Rajpoot got done with updating the nominee details, his curiosity and cybersecurity expertise kicked in and prompted him to explore the portal beyond it.

      "Initially, I entered my PNR and a made-up mobile number, and my insurance details still appeared. Then, I started entering random PNRs and fake mobile numbers," he told BOOM.

      Rajpoot entered hundreds of PNRs and mobile numbers. Amidst several hits and misses, he managed to get a few instances where he could view passengers' travel and insurance details. "The details included journey date, train number, berth/seat, email, mobile phone, number of passengers accompanying, arrival and departure stations, transaction number and insurance policy information. In some cases it even showed the pin code of the arrival stop," he said.

      Alarmingly, the researcher found that the portal also permitted changes to nominee details without the need for an OTP or any security question.

      Rajpoot reported the issue to the Computer Emergency Response Team- India (CERT-In), on July 23, which communicated the vulnerability to the relevant organisation. "I received an email from the authority, on July 30, stating that the bug had been fixed and requesting confirmation for the same. After checking the portal, I verified that the vulnerability had indeed been addressed," he said.

      Also Read:Government Plugs Cloud Security Leak That Exposed Data For Over 2 Years

      IRCTC's past stints with data breaches

      This was not the first time IRCTC had to deal with a potential data breach. In December 2022, Indian Railways experienced a significant data leak affecting approximately 3 crore individuals. It was reported that a hacker listed the stolen user data for sale on the Dark Web.

      The compromised data includes user information and invoices. Specifically, it comprised usernames, emails, verified and unverified mobile numbers, gender, city name, state name, and language preferences. The hacker's sample data included records with emails and phone numbers of individuals who had purchased tickets from Indian Railways.

      In 2018, security researcher Avinash Jain had also discovered a bug similar to the one identified by Rajpoot. This bug was present in IRCTC’s website and mobile app link that connect to a third-party insurance company for free travel insurance. Jain had said that within 10 minutes of discovering the bug, he was able to access the details of around 1,000 passengers.

      Of the 3 companies offering rail travel insurance then, the vulnerability was found only in the link to Shriram General Insurance, and not ICICI Lombard General Insurance and Royal Sundaram General Insurance. The matter was reported to IRCTC on 14 August, 2018 while the bug was fixed on 29 August, 2018.

      A month later, IRCTC had decided to discontinue the mandatory free travel insurance, making it voluntary as it is in its current form.

      Also Read:Data Breach Of 81 Crore Indians: What Has Been Leaked?


      Tags

      IRCTCIndian Railway
      Read Full Article
      Next Story
      Our website is made possible by displaying online advertisements to our visitors.
      Please consider supporting us by disabling your ad blocker. Please reload after ad blocker is disabled.
      X

      Subscribe to BOOM Newsletters

      👉 No spam, no paywall — but verified insights.

      Please enter a Email Address
      Subscribe for free!

      Stay Ahead of Misinformation!

      Please enter a Email Address
      Subscribe Now🛡️ 100% Privacy Protected | No Spam, Just Facts
      By subscribing, you agree with the Terms & conditions and Privacy Policy connected to the offer

      Thank you for subscribing!

      You’re now part of the BOOM community.

      Or, Subscribe to receive latest news via email
      Subscribed Successfully...
      Copy HTMLHTML is copied!
      There's no data to copy!