IRCTC bug suspected to have exposed details of 2 lakh passengers fixed after two years

IRCTC security vulnerability is now fixed!


Back in 2016, there were reports that the IRCTC website and app have been hacked and details of numerous users have been compromised. However, those at IRCTC denied the security vulnerability. After almost two years, this security vulnerability appears to have received a fix.

IRCTC bug suspected to have exposed details of 2 lakh passengers fixed

Though it is believed to have given access to the personal details of passengers to the hackers, there is no confirmation if any passenger information was stolen in the past two years when the bug existed. As per a report by The Economic Times, the vulnerability caused by the bug was founded in August by the security researcher Avinash Jain. It was found in both the website and app link that connects to a third-party insurance company letting passengers enroll for a free travel insurance.

User data at stake

The bug might have given hackers the access to the details of the passengers such as name, age, gender and nominee for insurance without their consent. Within 10 days of finding the bug, it said that they were able to read nearly 1,000 passenger and nominee details. This information was revealed by the security researcher who appears to have written to IRCTC about the issue.

He estimates that this vulnerability could have affected at least 200,000 passengers and exposed their nominee details. The report goes on adding that the bug was reported to the India's largest e-commerce website on August 14 and fixed on August 29.

No more insurance for passengers

Soon after acknowledging and fixing this security vulnerability, the Indian Railways stopped the free and mandatory travel insurance effective from September 1. This way, passengers can either opt in or opt out of the travel insurance. It was a service has was rolled out late in 2016 wherein every passenger booking tickets via the website or app of IRCTC has to take up the free travel insurance by providing the nominee detail at the respective insurance provider's website. This generates the transaction ID for the traveler.


Jain said that in order to get the personal data of passengers, they needed a valid combination of the PNR number and transaction ID. With these, they were able to fetch details of the passengers by decoding the encrypted data.

According to Gurunatha Reddy Gopireddy, co-researcher, of the three companies offering rail travel insurance, only Shriram General Insurance was linked to the vulnerability. The other two insurance companies - ICICI Lombard General Insurance and Royal Sundaram General Insurance were unaffected by this bug.

Best Mobiles in India

Read More About: irctc news hack apps internet

Best Phones

Get Instant News Updates
Notification Settings X
Time Settings
Clear Notification X
Do you want to clear all the notifications from your inbox?
Yes No
Settings X