Skip to content

Patched flaw exposed sensitive data on IRCTC insurance portal

  • by
  • 3 min read

The Indian Railway Catering and Tourism (IRCTC) recently addressed a severe vulnerability in its insurance portal, which has previously allowed unauthorised access to passengers’ travel details and enabled changes to insurance policy nominee information without proper verification.

Noida-based cybersecurity researcher Nilabh Rajpoot uncovered the flaw, reports The Hindu. After booking train tickets via the IRCTC website and opting for travel insurance, Rajpoot received a link through SMS.

The link, intended to provide access to the travel insurance policy from United India Insurance Co Ltd, required the passenger to enter their PNR (Passenger Name Record) and registered mobile number. This process also included an option to update nominee details in the insurance policy.

On exploring the portal further, Rajpoot found that by entering random PNRs and fictitious mobile numbers, he discovered that the portal displayed detailed passenger information, including journey dates, train numbers, berth or seat details, email addresses, mobile phone numbers, and insurance policy data.

Alarmingly, it also permitted changes to nominee details without requiring any additional verification, such as an OTP or security question.

Given the scale of data used by IRCTC, the vulnerability could have been worse if not detected early on.

Rajpoot detailed his findings and promptly reported the vulnerability to the Computer Emergency Response Team (CERT-In) on July 23, 2024. CERT-In, in turn, communicated the issue to the relevant organisation overseeing the portal.

By July 30, 2024, CERT-In confirmed that the reported vulnerability had been addressed and requested Rajpoot to verify the fix from his end.

The exposed vulnerability was particularly concerning given the sensitive information it compromised. While the flaw was found in the insurance portal managed by a third-party entity, the ramifications extended to IRCTC as the primary custodian of passengers’ data.

Recently, C-Edge Technologies Ltd. was the target of a ransomware attack. The company provides key technology services for several small banks in India. The attack caused the banks to shut down the Unified Payment Interface (UPI) and Aadhaar-enabled payment services (AePS).

Although the National Payment Corporation of India (NPCI) managed to re-establish contact with C-Edge, the incident highlights that the Indian banking sector is prone to cyberattacks just as any other sector in the country.

In the News: WazirX is yet to unlock assets after the user poll

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>