Excerpt from The Hindu Article, Published on Aug 5 , 2024
The Indian Railway Catering and Tourism Corporation (IRCTC) has fixed a critical vulnerability on its insurance portal that previously allowed unauthorized access to passengers’ travel details and enabled changes to nominee information in the insurance policy. The flaw was discovered by cybersecurity researcher Nilabh Rajpoot of Noida, who found the bug after booking train tickets on the IRCTC website and opting for travel insurance.
Upon receiving a link via SMS, he entered the PNR and registered mobile number, which opened the travel insurance policy provided by United India Insurance Co Ltd. The link included an option to update nominee details. Mr. Rajpoot investigated further by entering random PNRs and fictitious mobile phone numbers, revealing passengers’ travel details, such as journey date, train number, berth/seat, email, mobile phone, and insurance policy information.
Shockingly, the portal allowed modification of nominee details without requiring an OTP or security question. He reported the issue on July 23, 2024, to the Computer Emergency Response Team – India (CERT-In), which communicated the vulnerability to the relevant organization. By July 30, 2024, CERT-In confirmed the vulnerability had been fixed. The breach exposed sensitive passenger information and raised data security and privacy concerns. Although the issue was found on a third-party insurance portal, IRCTC, as the custodian, was affected. Mr. Rajpoot emphasizes the importance of protecting sensitive information from fraudulent access and manipulation.
To delve deeper into this topic, please read the full article on The Hindu.
