Posted by: The Chhamanator | April 17, 2009

Security issue while booking tickets through IRCTC

Most of us would have either used or at least know about the IRCTC service. It’s a government of India undertaking where you can book your train tickets online using a host of payment options. To book a ticket, you need to create an account on the website and simply choose your destination, ticket class and payment options and you’re done – highly convenient if you hate standing in line for a ticket and dealing with rude agents.

In normal circumstances, you will need to enter your username and password to see your ticket status and payment details. This means that only you or someone who knows your password can access your booking information. But I recently discovered by accident that this can be easily circumvented by a simple modification of the url.

Recently, I booked a ticket from Allahabad to Kolkata using IRCTC. This is after a friend of mine told be that payment can now be done using debit cards. I always thought I’d need a credit card to do this. Anyways, I registered, searched for a train and actually booked the last available ticket for that train. I was then shown a page with my booking and ticket status. It gives me the option to either download or print the ticket. After saving the ticket to a pdf file, I thought I’d just change the url around and see if anything happens, and surprise surprise, I was shown the ticket status of another passenger.

Try it yourself. Enter the following url in the address bar of your browser:

https://www.irctc.co.in/cgi-bin/bv60.dll/irctc/services/printTicket.jsp?UserRole=Normal&PassString=nnnnnn&ID=null&transID=0102981022

You will be able to see the booking details of one passenger. As you probably are aware, you don’t even need to login to see the status. Now change the number after transID=. You will see the booking details of another passenger. Now, I don’t know if it is possible to actually edit the status or any information in the ticket but the fact that you can see other people’s ticketing information without their consent is highly inappropriate and a huge violation of privacy.

A quick googling found that others have also discovered the flaw.

The IRCTC has been informed about this. Let’s hope they make the necessary changes.

Update: The IRCTC has fixed the bug. So you are safe, for now…

About these ads

Responses

  1. hehe ka va correct a nge Blog update diklo ho chu. Chuan wordpress blogs ho pawh tunah ka add an ngai, nizan khan wordpress blogs ho engmah ka hawng thei lova.

    This is a serious issue for IRTC. I hope they do something about it soon.

  2. Good catch! I usually booked tickets online but was never aware of such issues. You turned me into a white man :)

  3. This is BAD man.Tried entering different ids and i can see other detials. Nice finding bt unfortunately Indian Govt, how how they react to such things. SAD man

  4. Nice catch dude.. you’ve come a long way from HACKING others’ websites and making the mistake of coding it in UPPERCASE !! hehe.. Mr. HACK MASTER SUPREME.. or sumthin’ like that.. seems ur planning to head home for summer holidays, huh?

  5. Khai aw…..back to standing in looooong q’s
    Tak2 a ho e Chennai leh Bangalore bak kalna tur ka nei chuang lo

    • @Kima,Dave,Lal lal All we can hope for is that the concerned people will act on it and the issue will soon be resolved.

      @NotGood, I still remember the day your site was hacked by Hackmaster Supreme. You were screaming like a little girl until i told you the truth. I guess I should try the ‘default password’ s**g*** on some of your accounts :) . Yeah, I already have a ticket for the 14th of May. Wohoo!!!

      @opahmar, nangni ang celebrity te chu terrorist hovin i travel plans an hriat chuan an kidnap ang che tih poh a hlauhawm alom….

  6. Off topic – I once saw a dead body lying on some grassy plot from a train somewhere around the Allahabad station, and every time someone says ‘Allahabad’ that image comes into my mind. It was covered in big white patches, almost like burn marks. It was a guy, and we wore a dhoti and the image is just terrible! So I thought you’d want to know :PP

    As for the IRTC site, I used it once and for reasons I don’t even remember I didn’t like it and never went back. Good thing!

  7. hey, I remember…I was HACKMASTER SUPREME’s aide that day…hahah

  8. Bug is fixed now.

    It is old issue, probably since inception.

  9. Once again, the Indian government screws up…why am I not surprised??

  10. yep you’ve totally hacked it man!
    i put in the link and i got these details

    the passenger name is a Mr.Java last name is Exception. funny name Mr.Java Exception

    • @Mosa. Yes that’s right. And if you read the comments at all, you will know that someone has already mentioned that the bug has been fixed. Thank you for your time. May the force be with you.

      • Do excuse him. He usually takes 4-5 months to react to a post.

      • i added testerbabu to my “blocked users” list 2 years and 3 months ago. Ah now i see it. COngrats Kima you’re option to get notified works.

      • *your*

  11. Sorry for writing Off-Topic … which WordPress template are you using? Looks awesome!!

    • It’s called ocean mist. It’s in the list of wordpress.com themes


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: