TRENDING ON ONEINDIA
- Jet Airways To Get Rs 1,500 Cr 'Immediate Support' As Founder Naresh Goyal Quits
- IPL 2019: RR vs KXIP — Live Updates
- Renault Announces Price Hike For Kwid Hatchback
- Deepika Padukone's First Look From Chhapaak Revealed!
- Oppo First 5G Smartphone Gets 5G CE Certificate
- Top 5 Affordable Cities In India To Live In 2019
- They Sell Honey With Dead Giant Hornets
- Global Carnage Drag Sensex Lower By 350 Points
IRCTC website flaw lets hackers cancel booked tickets
IRCTC security flaw that was reported last month is now fixed.
IRCTC (Indian Railways Catering and Tourism Corporation) is used by millions of users to book train tickets. With the increase in internet use, the number of people using this service increased. Eventually, it led to the launch of a functional website and a dedicated app to book tickets and manage the same. Given that there are numerous users, even a minor security flaw is bound to affect all the users.
As per a recent report, a security researcher Ronnie T Baby discovered a major security flaw in the IRCTC website. This flaw made it relatively easy to exploit anyone with an idea of what they are doing. This flaw lets hackers access lakhs of user accounts and cancel booked tickets.
Notably, it is claimed that this flaw was reported to IRCTC on January 19 and that the platform is said to have resolved the issue with a proper captcha verification in less than a month's time.
IRCTC security flaw
The security research took to LinkedIn regarding the bug that was found in the password reset option. As per the details, this flaw was reported initially by FossBytes. The password reset option required users their IRCTC user ID and users will get an OTP to change the password. It will be protected via a captcha, which ensured that the OTP is secure via a brute-force attack. It uses a program that would enter random numerical OTPs to guess the right one. This is where the flaw allowed anyone to use a valid OTP to generate unlimited password requests.
Going by the post, the security research was also able to brute-force the OTP and log in to the account that reveals details such as address and booked tickets. It is said to have given him the ability to cancel booked tickets. The only field that is required for this is the user ID of the IRCTC account.