The website of the Indian Railways has been a subject of ridicule owing to the various security flaws that have been discovered in its website over the years. When it comes to protecting user data, the website has been lacking in many ways.
The website was previously hacked in 2016 when the details of over 1 crore users were leaked. Last year, Kanishk Sanjani, an ethical hacker had ordered food from the IRCTC website for Rs 7. This vulnerability remained unpatched for well over 7 months even after informing concerned authorities.
Recently, a cybersecurity enthusiast and student of Karunya University, Ronnie T Baby, contacted Fossbytes to shed light on a major vulnerability he found in the revamped IRCTC website. The flaw enabled Ronnie to access details of millions of users and cancel any booked tickets.
The bug in the website was found in its reset password option that automatically sent an OTP to the registered mobile number once user ID was entered. The site did have a captcha to prevent any brute-forcing attempts but allowed the reuse of captchas for infinite requests.
This weakness allowed attackers to brute-force OTP and log into users’ accounts. Once logged in, attackers could gain access to sensitive user details and cancel tickets.
Bruteforcing attacks involve the use of a large database of passwords that are used to systematically find the correct passkey. The process was further simplified as the OTPs’ being sent to mobile numbers were a 6 digit numeric code (ex 972856).
This means that the OTP would be found within a maximum of 999999 attempts which is not much considering the computing power of modern PC’s. Coupled with the reuse of valid captchas, the website could be broken into with ease using a freely available pen testing tool such as Burp.
The issue was fixed by authorities after a few weeks of being notified. The question still remains, when will this lax attitude of government organizations towards cybersecurity change?