A security researcher has found a vulnerability inside a newly launched app of Indian Railways Catering and Tourism Corporation (IRCTC), but the bug was fixed in no time.
The bug was found in the website as well as app version, it affected the password reset option. When a user type their user id, it automatically sends an OTP to the registered mobile number of the account holder. Though capatcha is there to prevent the brute-forcing of the OTP’s, but this time it allowed the reuse of the captchas for unlimited requests.
The researcher, Ronnie T Baby, a third year engineering student, exploited the bug through brute-force the OTP, once he logged in, he could easily view all the personal details of the account holders like address, booked tickets etc.
“I found that I could easily cancel any booked tickets. Imagine someone going to their hometown for vacation, and getting a message ,”Your ticket has been cancelled!”. What a let down to your cozy travel ?!”
He forwarded the vulnerability to cert-in, and the officials immediately reported it to the technical team of IRCTC.
This is not the first time that he found a vulnerability, in his previous attempts he has been awarded $3000 from Google, Microsoft, Oracle etc.
In an email interview with Ehackingnews he said, ” Indian programmers is not up-to the mark- they lack security knowledge.” He got interested in cyber security at an early age and was always fancied the term “hacking”, but his dream came only after joining Engineering college where he got free internet access.
“One day, I went away from the hustle and bustle of daily college routine, sat in a empty class, took out a sheet of paper and wrote all the things I am good at. One thing I realized that, being an introvert I observed the world around very deeply. I liked walking through paths rarely crossed by others. I usually did opposite to what the crowd does! I came to a conclusion that, cyber security was the apt field for a guy like me. Other fancy words which are still booming now include machine learning, data science etc. For me, security was everything and that is what I started thinking about day and night,” he further added.
He has an advice to all those people who doesn’t know how to begin in any field. “Google is your best friend. I never needed anyone’s help in anything. We have such a huge population, I will argue that, any query you had in your life; the same doubt would have crept to someone else’s mind sitting in the other end of the world. So open your eyes, and start searching for solutions and self learning, instead of “How I hack ? ” Yes, for guidance, it is always recommended to be in touch with the Pro’s and able people of any particular field.”