IRCTC website flaw lets hackers cancel booked tickets

IRCTC (Indian Railways Catering and Tourism Corporation) is used by millions of users to book train tickets. With the increase in internet use, the number of people using this service increased. Eventually, it led to the launch of a functional website and a dedicated app to book tickets and manage the same. Given that there are numerous users, even a minor security flaw is bound to affect all the users.

As per a recent report, a security researcher Ronnie T Baby discovered a major security flaw in the IRCTC website. This flaw made it relatively easy to exploit anyone with an idea of what they are doing. This flaw lets hackers access lakhs of user accounts and cancel booked tickets.

Notably, it is claimed that this flaw was reported to IRCTC on January 19 and that the platform is said to have resolved the issue with a proper captcha verification in less than a month's time.

IRCTC security flaw

The security research took to LinkedIn regarding the bug that was found in the password reset option. As per the details, this flaw was reported initially by FossBytes. The password reset option required users their IRCTC user ID and users will get an OTP to change the password. It will be protected via a captcha, which ensured that the OTP is secure via a brute-force attack. It uses a program that would enter random numerical OTPs to guess the right one. This is where the flaw allowed anyone to use a valid OTP to generate unlimited password requests.

Going by the post, the security research was also able to brute-force the OTP and log in to the account that reveals details such as address and booked tickets. It is said to have given him the ability to cancel booked tickets. The only field that is required for this is the user ID of the IRCTC account.