The Indian Railways' ticket booking platform, IRCTC, is the biggest e-commerce platform in India, and it handles the sensitive data of so many users that the government had to put on hold plans to privatise the service in order to figure out how to value these terabytes of data. It turns out though, that a security flaw in the system meant that the data of millions of users was made vulnerable every day, and could have been siphoned off by anyone.
Around 20 million people travel by train in India every day on average, and IRCTC issues around 700,000 tickets every single day. Each ticket carries data like the name and age of the passenger, whether they are vegetarians, or if they have any physical disabilities, for example. And while the government sees a potential windfall in this, IRCTC had been giving the data away freely to anyone who knew where to look.
"Around three months ago, I found a bug in IRCTC which would expose anyone's user details, journey details, nominee details," said Avinash Jain, lead infrastructure security engineer at Grofers and a part-time bug bounty hunter. Jain has exposed bugs for companies such as MobiKwik, Hotstar and Google, which have paid him rewards for highlighting weaknesses. "Any black hat could have taken the details of millions of people, and it was not a very technical thing that was to be exploited," he added. "It was actually really easy to get the details of people."
"Most private companies will pay you, or at least send you some swag if you help them find a weakness. This gives an incentive for people to help improve their security," explained Jain. In the case of IRCTC, he was thanked for reporting the vulnerability, and on 29 August, he received an email from CERT [which has been viewed by HuffPost India] stating that the "reported leak has been fixed by the concerned organisation". Google, in contrast, paid a bounty of $1,000 (or around Rs 73,000), according to Jain.
Jain and fellow security researcher Gurunatha Reddy Gopireddy found that when a passenger was booking tickets on IRCTC, it would share all the passenger and journey details with third-party insurers. This information could be retrieved only with a transaction number—but by using the PNR number, it was possible to first retrieve the requisite transaction number.
1,000 passenger details in 10 minutes
Explaining how he was able to get hold of the customer data, Jain explained that when IRCTC launched a feature to offer free insurance to passengers, there was a flaw in the API that allowed you to enter a PNR number, and see all the associated details without additional authorisation. And there was no limit to how many PNRs you could check—which meant that it was possible to create a script that would check sequential numbers, generating a wide range of valid PNRs, and copying the data presented.
"In ten minutes, it gave me the records for 1,000 passengers," Jain said. "And it could have given the details of 500,000-600,000 bookings daily."
This data was "lying there" for around two years, Jain said.
And there's a market for this kind of information. When the IRCTC database was leaked in 2016, and the information of around 1 crore people was feared stolen, officials said that personal details of customers were being sold on CDs, priced at Rs 15,000 each.
The data was also being sold online at even cheaper rates, according to Bengaluru-based Soham Gupta, who is the founder of a stealth-stage startup. "Names, phone numbers, dates of birth, all that information was easily available," Gupta said.
No disclosure
One of the biggest concerns about the IRCTC breach reported by Jain is the lack of proper disclosure. "In a perfect world, when there is a security problem, customers should be informed about it," said Saravanan K, a Bengaluru-based consultant working on security solutions for businesses. "A lot of companies don't actually do this, though—they think this is bad for our reputation, instead of realising that it will come out in the public eventually anyway, and then it will be much worse for your reputation."
That's what happened, for example, with FreshMenu, which saw the data of 100,000 users breached in 2016. The company chose not to disclose this because the breach was "limited".
Beyond that, Jain also pointed out that the lack of support from government agencies, beyond a minimal acknowledgement, worked to discourage Indian bug-bounty hunters from reporting issues. "The Indian government doesn't appreciate such efforts, which demotivates security researchers," said Jain. "India has produced some great security researchers, but such talents are not recognised by the Indian government."
"The French hacker, who goes by Elliot Alderson, that is what happens when you don't appreciate the people in your own country. He is hacking Indian sites and the Aadhaar and things because the Indian community has been pushed away," he added.