After a technical vulnerability was discovered in the IndiGo website in March which resulted in sensitive data of passengers getting leaked, Indian Railway Catering and Tourism Corporation (IRCTC) has now put thousands of passengers’ sensitive data at risk.
IRCTC has a monopoly on train ticket booking in India because of its status as a railway PSU. Passengers who book train and aeroplane tickets through IRCTC are covered by insurance providers. More than one million railway tickets are purchased through the e-ticketing giant each day. Indian Railways began offering nominally priced (less than a rupee) accidental insurance to customers who purchased their tickets online in December 2016. Bajaj Allianz and Liberty General Insurance were two of the insurers.
The websites of Bajaj Allianz and Liberty General Insurance were recently found to be vulnerable to a data vulnerability known as IDOR, which exposed the personal information of passengers and nominees. IDOR is a vulnerability “through which an attacker can directly access the objects (data) of other users by circumventing the access control system in place,” as defined by the OWASP. This is a very common and serious security flaw. HTTP parameters like “id”, “uid”, “pid” are unique values assigned to each user when they originate, submit, or receive a request from a server; these values are assigned by the web application. In cookies, headers, or WiFi Packet captures, an attacker can observe these parameter values. If an attacker can get their hands on this, they may be able to change the IDOR values, which might cause a security breach. An IDOR has major ramifications for cybersecurity, but it is difficult to identify and easy to use.
By exploiting a weakness in IRCTC’s third-party insurers, millions of users’ private information might be accessed and altered. Information about the traveller and the journey is shared with one of IRCTC’s third-party insurers once a ticket has been purchased. Name, phone number, journey details, and insurance nominee data of IRCTC-booked e-tickets are all publicly available information.
“To access any passenger and their nomination information, we only had to change a number in their APIs. Neither of their APIs has any suitable protective mechanism in place. Within three minutes, we were able to view the details of nearly 1,000 passengers “Avinash Jain, a cybersecurity specialist who identified the flaw, stated this.
Many phishing attempts can take advantage of such information; however, security experts should be alert to the possibility that third-party websites may have security weaknesses that can be exploited.
According to a statement published by the National Critical Information Infrastructure Protection Centre (NCIIPC), which is the nodal agency in terms of critical information protection, they are now working with stakeholders to verify and remediate the issue identified.
Due to the probe, IRCTC suspended the services of Bajaj Allianz and Liberty General on 23 May. The security breaches were not over, according to IRCTC. An IRCTC representative said in an emailed statement that the integration with these insurance providers has been placed on hold as a result of the incident. Insurance services through these providers will only be reinstated if additional checks have been performed on their websites to the satisfaction of IRCTC..”
The vulnerability was confirmed by Bajaj Allianz and Liberty when they were contacted.
In an email statement, Bajaj Allianz General Insurance Senior President & Head-IT, Web Sales, Travel Sourabh Chatterjee said, “At Bajaj Allianz, we sincerely appreciate our customers’ data and privacy and we take cognizance of the issue and are looking into it promptly.”
Officials with Liberty Insurance said the identified hole has been fixed, and the two companies are working together to improve security even further. They state that as soon as they identify a potential vulnerability, they immediately begin testing for it. In the case at hand, they clarified that none of the passengers’ private information, such as email addresses, phone numbers, addresses, or even birth dates, was compromised. Their security measures were quickly tightened after they learned of the incident.