Teenager flags bug in IRCTC’s system, fixed
Indian Railway Catering and Tourism Corporation Ltd (IRCTC) has fixed a bug on its e-ticketing platform after a student of Class 12 from Chennai raised the alarm over the presence of insecure direct object references (IDOR), a type of access control vulnerability in the booking site. The IT wing of the IRCTC immediately took note of the complaint and resolved the vulnerability. The issue was reported on August 30 and was fixed on September 2. Also read | Punjab Cabinet plays ‘Dalit card’, plans to launch pro-poor initiatives from Oct 2 What is IDOR It is a type of access control vulnerability, arises when an application uses user-supplied input to access objects directly. The student reportedly came across a critical IDOR that leaks the transaction details of millions of travellers, when he was trying to book tickets. According to information, it is the most common bug. Also read | One held for bid to vandalise Ambedkar's statue at Phillaur How it is detected Go to your account ticket history, click on any ticket with burp suite turned on. Now change the transaction ID to gain access to another's tickets, you will get all sensitive details. You can also cancel someone's ticket or do anything malicious. According to reports, on September 11, he received a mail thanking him for reporting the matter to the authorities. -PTC News with inputs from agencies