[ad_1]
IRCTC manages the Indian Railways' catering, tourism and ticketing operations, which cover approximately 600,000 ticket bookings per day. AND could not independently verify if data on pbadengers had been stolen during the two years of the existence of the bug. Security researcher, Avinash Jain, has discovered the vulnerability that in August on IRCTC's website and link to mobile applications that connect to a third-party insurance company for a free travel insurance.
The bug allegedly gave attackers access to pbadenger information, such as name, age, gender, and names of insurance candidates, without their knowledge or consent. "In less than 10 minutes (after finding the bug), we were able to read nearly 1,000 information about pbadengers and candidates," said Jain, who later wrote to IRCTC to warn them of the problem.
He estimates that the vulnerability has left at least 200,000 pbadengers and the details of their nominee exposed to the attacker. The bug, reported to IRCTC on August 14th, was acknowledged and corrected on August 29th.
It is interesting to note that the Indian Railways decided to terminate the compulsory free travel insurance from September 1, allowing users to subscribe or not to take out travel insurance. IRCTC did not answer any questions about this.
In December 2016, IRCTC implemented a free travel insurance for all persons who booked tickets via its website or mobile application. This implied that the IRCTC shares the pbadenger details of all travelers with third party insurers to underwrite the coverage.
![irctc1 "title =" irctc1 "/>
<figcaption/></figure>
<p> After booking a ticket, the details of the name of the recipient were to be entered on the company's website. the insurance concerned, thereby generating an encrypted transaction ID for the pbadenger. "To obtain a traveler's personal information, we needed a valid combination of transaction ID and pbadenger number. (PNR), "said Jain," We were able to extract the details of a pbadenger by decoding the encrypted data (transaction ID / PNR) by brute force. "
</p>
<p> The 10-digit PNR number is a record of a person in the database of a computerized reservation system, which could also be obtained by the brute force technique.
</p>
<p> "Three companies offer rail travel insurance and we found weaknesses in the link with Shriram General Insurance only," said Gurunatha Reddy Gopireddy, co-researcher, in the disclosure. The links with the other two insurance companies, ICICI Lombard General Insurance and Royal Sundaram General Insurance, did not carry the same virus.
</p>
<p> According to the 2016-2017 IRCTC Annual Report, electronic ticketing accounted for 62% of booked train tickets in India, with more than 573,000 tickets sold daily on the IRCTC website. "Responsible disclosure of flaws is not rewarded by the government," said Jain, who reported critical security vulnerabilities and was rewarded by NASA, Google, and Paytm, among others.
</p>
<p> The Indian Computer Emergency Response Team (CERT-In), which manages cybersecurity threats, reported 53,081 incidents reported in the country in 2017. "Less than 1% of reports sent at CERTIn come from security researchers, while Indian researchers have received more than $ 1.8 million in rewards in 2017. Incentives are important for active disclosure, "said Jain.<br />
</p>
</div>
<p><script></p>
<p> if (geolocation && geolocation! = 5) {
! function (f, b, e, v, n, t, s)
{if (f.fbq) return; n = f.fbq = function () {n.callMethod?
n.callMethod.apply (n, arguments): n.queue.push (arguments)};
if (! f._fbq) f._fbq = n; n.push = n; n.loaded =! 0; n.version = 2.0 & # 39 ;;
n.queue = []; t = b.createElement (e); t.async =! 0;
t.src = v; s = b.getElementsByTagName (e) [0];
s.parentNode.insertBefore (t, s)} (window, document, & quot; script & # 39;
& # 39; https: //connect.facebook.net/en_US/fbevents.js');
fbq (& # 39 ;, & # 39; 338698809636220 & # 39;);
fbq ("track", "Pageview");
}</p>
<p></script></pre>
</pre>
[ad_2]
<br /><a href=](http://economictimes.indiatimes.com/img/66581332/Master.jpg)
Source link
