The Indian Railway Catering and Tourism Corporation (IRCTC) has addressed a critical vulnerability on its insurance portal that previously allowed unauthorised access to passengers’ travel details and enabled changes to nominee information in the insurance policy.
Cybersecurity researcher Nilabh Rajpoot of Noida discovered the bug after booking train tickets on the IRCTC website and opting for travel insurance. He received a link via SMS that, upon entering the PNR and registered mobile number, opened the travel insurance policy provided by United India Insurance Co Ltd. The link included an option to update nominee details.
Mr. Rajpoot’s curiosity and hacker instincts led him to investigate potential data leaks on the portal. By entering random PNRs and fictitious mobile phone numbers, he found that the portal revealed passengers’ travel details, such as journey date, train number, berth/seat, email, mobile phone, and insurance policy information. Shockingly, the portal allowed modification of nominee details without requiring an OTP or security question.
Random PNRs
“I entered hundreds of random PNRs and mobile phone numbers and accessed passengers’ travel/insurance details. Although the link issued an alert that the mobile number did not exist, it still provided the passenger data. I immediately reported the issue on July 23, 2024, to the Computer Emergency Response Team – India (CERT-In), which communicated the vulnerability to the relevant organisation,” Mr. Rajpoot told The Hindu on Sunday.
In a reply on July 30, 2024, CERT-In said the concerned organisation had confirmed that the vulnerability had been fixed and requested him to verify at his end.
The vulnerability on the IRCTC insurance portal was significant as it exposed sensitive passenger information, including journey and contact details. Although the issue was found on the insurance portal managed by a third party, the data security and privacy concerns affected IRCTC as the custodian.
Mr. Rajpoot focuses on identifying and mitigating security risks through routine assessments of various online portals. “In this case, unauthorised individuals could access and modify policyholders’ details, including nominee information. We must protect sensitive information from fraudulent access and manipulation,” he said.