Exposing Millions of IRCTC Passengers' ticket details.
2021-09-16 14:01:08 Author: infosecwriteups.com(查看原文) 阅读量:44 收藏

Renganathan

Hi There,

Renganathan Here, I’m an Ethical Hacker & a Security researcher.

I’ve been acknowledged by LinkedIn, United Nations, BYJU’s, Nike, Lenovo, Upstox for reporting security vulnerabilities in their web applications.

What’s IRCTC?

IRCTC, India’s largest online ticketing operations site which runs one of the largest e-commerce sites, has around 30 million registered users with around 550,000 to 600,000 bookings every day makes it the world’s second-busiest travelling portal generating revenue of $20 million every year (Source: Wiki)

While I was booking a ticket as a normal human I suddenly got an idea to test for vulnerabilities.

Hacker Mode!

So the first vulnerability that came to my mind was IDOR. Here are the steps to reproduce.

  1. Login to your IRCTC account
  2. Go to My account > My Transactions > Booked Ticket History.

3. So there were below tickets that gets expanded on click

I used burp suite, turned on the interception, and saw a below-get request.

GET /eticketing/protected/mapps1/historySearchByTxnId/XXXXXXXXXX48?currentStatus=N HTTP/1.1
Host: www.irctc.co.in
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.irctc.co.in/nget/txn/my-transactions?page=Booked%20Ticket%20History&eWallet=false

I tried for IDOR and decreased the number of the transaction ID and forwarded the packet.

And Yeah! I got a random user’s transaction and ticket details like Train Number, Departure time, Duration of the journey, PNR number, Status of the ticket, Boarding station, Passenger's information like their names, seat details, gender & age.

Since the backend code is the same so It’s also vulnerable to Cancelling the ticket, Changing the boarding point, Ordering food, booking a hotel, tourist package, and even Book a bus.

I immediately recorded a POC & reported it to [email protected]

TimeLine:

Aug 30, 2021, 12:45pm: Reported

Aug 30, 2021, 1:30 pm: A ticket was assigned.

Sept 4, 2021: The issue was resolved (retested)

Sept 11, 2021: Acknowledged by IRCTC.

Acknowledgement from IRCTC

Thanks for reading :)
Stay Safe.

https://www.instagram.com/renganathanofficial

https://twitter.com/IamRenganathan


文章来源: https://infosecwriteups.com/exposing-millions-of-irctc-passengers-ticket-details-53338280fb9e?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh