Discovery and Report
A cybersecurity analyst identified a critical vulnerability on IRCTC’s insurance portal, exposing passengers’ travel details and allowing changes to nominee information without verification. Researcher Nilabh Rajpoot discovered the issue while booking tickets and opting for travel insurance.
Vulnerability Details
Rajpoot found that by entering random PNRs and phone numbers, he could access sensitive passenger information and modify nominee details without security checks. He reported the issue to CERT-In on July 23, 2024.
Resolution
CERT-In confirmed on July 30, 2024, that the vulnerability had been fixed. The breach, managed by a third party, raised significant data security and privacy concerns for IRCTC.
Call for Enhanced Security
Rajpoot emphasized the importance of protecting sensitive information from unauthorized access and manipulation to prevent fraud and ensure data privacy.