Discovery and Report

A cybersecurity analyst identified a critical vulnerability on IRCTC’s insurance portal, exposing passengers’ travel details and allowing changes to nominee information without verification. Researcher Nilabh Rajpoot discovered the issue while booking tickets and opting for travel insurance.

Vulnerability Details

Rajpoot found that by entering random PNRs and phone numbers, he could access sensitive passenger information and modify nominee details without security checks. He reported the issue to CERT-In on July 23, 2024.

Resolution

CERT-In confirmed on July 30, 2024, that the vulnerability had been fixed. The breach, managed by a third party, raised significant data security and privacy concerns for IRCTC.

Call for Enhanced Security

Rajpoot emphasized the importance of protecting sensitive information from unauthorized access and manipulation to prevent fraud and ensure data privacy.

Author

Byadmin

Leave a Reply

Your email address will not be published. Required fields are marked *