Hello Amazing readers, This writeup is all about how, during my internship in Chennai, I stumbled upon a critical vulnerability in the Chennai Metro Rail ticket booking system. By taking a closer look at the system’s inner workings, I was able to exploit a flaw and book tickets at a significant discount/almost for free. This article highlights the importance of ethical hacking and responsible disclosure, ultimately resulting in the rectification of the vulnerability.

I know I was going to post about an IDOR as referred in my previous writeup, but this looked more interesting to share.

You can read my previous writeup here :

This all started when I have to move to Chennai to complete my Internship where I have to travel from my stay to the office through Metro. This was the first time I was travelling by any metro and I was little bit excited how they manage the ticket booking and verification of all these travelers. So what I observed during my travel was that the Chennai Metro Rail uses QR code based ticket to scan so that it opens the gate to platforms. I manually had the ticket from the ticket counters there and saw the QR code on the ticket and other details. All the security researchers here will understand the urge to look into this and think that what will the QR code data will have? What if I can view or manipulate the data? Yes all these questions crossed my mind too. So I though to have a look at the ticket by scanning the QR code using a QR code scanner app.

To get a better idea, I collected 3–4 tickets and scanned the QR Code of all the tickets. While analyzing the data from these tickets I have observed that there was some encrypted token, Ticket number and Date-time of the booked ticket. All the details like origin station and destination station was I guess present in this encrypted token value. As this tickets were generated from the ticket counters. I was clueless how this tokens were generated and what was the actual mechanism behind it. I kept this aside for some days and suddenly I got to know from my friend that we can book the tickets from their online portal too. I was like, now let this begin again. I immediately visited the website to book tickets online and see how the ticket was getting generated. This is how it looked like :

So this website was very very simple and user friendly. We just have to enter the origin station and destination station. The fare will be calculated automatically and upon paying through online methods, we get the QR code ticket. We can even see our booked ticket history.

So I turned my Burp Suite proxy on and was observing the traffic to which I found that all the traffic to the server and from the server is encrypted. We cannot see what actually the data is going to the server and coming from the server. You can see the request here :

Like this every request was encrypted and we cannot see what’s actually going on. I thought that there’s no point to see anything here as it will not make any sense. So just looking at other requests there I found a request which was an API endpoint used to get the fare details from the server in encrypted format. So when we select origin station and destination station it will send a request to the server to get the fare details of that route. As it was also encrypted, we cannot edit or do anything with the fare details too.

I just observed that what was the actual flow even the requests are encrypted. So the flow was like :

1. We have to enter the source and destination.
2. Encrypted request sent to server to get the fare details.
3. Encrypted response received from server about the fare.
4. Heading to payment page and book the ticket.

This was the flow of whole ticket booking process happening in backend. The fare request looked like this :

The very first thing I thought to try is to get a fare amount response for a journey of less distance. Keeping a note of it. Then while requesting the fare for a journey with more distance replace the response with previous one. So instead of showing any errors, it redirected me to the payment page where I was able to pay successful and the ticket was generated. I was like Is this really happening? I just bought a ticket with 80–90% discounted rate? I can now travel through metro for almost free? I booked another ticket with the same method and again it was successful.

Let me tell you the complete flow with details now :

Example : Thousand Lights to Ag-DMS : Ticket Fare : Rs.8

Example : Thousand Lights to Ashok Nagar : Ticket Fare : Rs.32

1. I kept a note of the encrypted fare response for the first one i.e. less distance and lower fare amount.
2. I replaced the new response i.e. more distance and higher fare amount with the previous encrypted response.
3. Made the payment and got a ticket from Thousand Lights to Ashok Nagar for Rs.8 instead of Rs.32

Even after this ticket was generated I thought that it may not work when we try to scan at the entry gate. Just to confirm I scanned the ticket at the entry gate and traveled from the origin to destination station (You know that feeling right ? ^_^). I walked out of station like

Instead of using it for my own purpose I decided to report this to appropriate department and get it fixed.

I immediately reported this vulnerability to the Chennai Metro Rail department and I got the response very quickly that the Bug has been fixed now.

I retested the bug and confirmed that it is fixed now but I thought there is no way I can travel for free? Here again, the interesting part comes.

After retesting, I moved to the ticket history tab and saw that we can view tickets which are generally based on some browser authentication. So we can see the tickets which are only booked into our device and browser.

I had a look at the HTTP requests in bur suite. Where I found an endpoint /tickethistory/<ticket id>/qr. This endpoint was making a GET request and in return the ticket details and QR was received.

I just simply changed the ticketid to incremented/decremented value and sent the request. And here again I was able to see anyone’s ticket and QR code.

So how I can exploit this? I just kept downloaded the latest tickets with matching stations and immediately scanned the code before the original ticket holder scans. Making the Original user’s ticket invalid. Yes, I felt bad for him/her. You know just for impact. right?

Again I made a report and sent it. To which I got the reply within hours that this has also been fixed.

The journey into the ticket booking system of Chennai Metro Rail allowed me to uncover a vulnerability that enabled me to purchase tickets at significantly reduced fares. By responsibly disclosing this flaw to the concerned authorities, the vulnerability was quickly addressed and resolved, ensuring the system’s security and protecting the interests of Chennai Metro Rail’s commuters. This experience further emphasizes the importance of ethical hacking in maintaining the integrity of digital systems and highlights the positive impact that responsible disclosure can have on securing our interconnected world.

If you guys want the Video POC for both these vulnerabilities. Then comment it down and share this writeup. I will upload the censored POC once the article have good reach. As it takes time to edit video POCs.

My next writeup will be all about a long chain of IDOR and how I was able to easily exploit it exposing all the corporate accounts information.

https://www.linkedin.com/in/manavbankatwala/

https://www.instagram.com/manav.bug/

https://twitter.com/manavbankatwala