Most of us would have either used or at least know about the IRCTC service. It’s a government of India undertaking where you can book your train tickets online using a host of payment options. To book a ticket, you need to create an account on the website and simply choose your destination, ticket class and payment options and you’re done – highly convenient if you hate standing in line for a ticket and dealing with rude agents.
In normal circumstances, you will need to enter your username and password to see your ticket status and payment details. This means that only you or someone who knows your password can access your booking information. But I recently discovered by accident that this can be easily circumvented by a simple modification of the url.
Recently, I booked a ticket from Allahabad to Kolkata using IRCTC. This is after a friend of mine told be that payment can now be done using debit cards. I always thought I’d need a credit card to do this. Anyways, I registered, searched for a train and actually booked the last available ticket for that train. I was then shown a page with my booking and ticket status. It gives me the option to either download or print the ticket. After saving the ticket to a pdf file, I thought I’d just change the url around and see if anything happens, and surprise surprise, I was shown the ticket status of another passenger.
Try it yourself. Enter the following url in the address bar of your browser:
You will be able to see the booking details of one passenger. As you probably are aware, you don’t even need to login to see the status. Now change the number after transID=. You will see the booking details of another passenger. Now, I don’t know if it is possible to actually edit the status or any information in the ticket but the fact that you can see other people’s ticketing information without their consent is highly inappropriate and a huge violation of privacy.
A quick googling found that others have also discovered the flaw.
The IRCTC has been informed about this. Let’s hope they make the necessary changes.
Update: The IRCTC has fixed the bug. So you are safe, for now…