Kanishk Sajnani, a white hat hacker from Ahmedabad, Gujarat had found some critical vulnerabilities in the IRCTC’s Digital Infrastructure, back in June 2017. His latest blog on Medium serves as an exposure to the sheer lack of attention that is paid to the security of such platforms (used extensively by multitudes in our populace). Two critical flaws in IRCTC emerged through his blog:
- He could’ve ordered anything for a price that was absurdly lower than the one officially listed (by any of the vendors on E-catering website).
- He discovered that IRCTC’s E-catering (subdomain & mobile app), Tourism & Corporate website were serving login pages over HTTP. Passwords entered by a user on the same network could be viewed in Plain text.
According to Google’s Developer site, “all websites should always be protected by HTTPS, even if they don’t handle sensitive communications. HTTPS provides privacy & security to the users & also protects the integrity of your website. With HTTP, an Intruder can snoop on a user’s credentials, cookies, confidential data & also inject any Ad, image, script, etc.“
At first, Kanishk tried reaching out to the CMD & Director (Finance) of IRCTC through emails.
After receiving no response, on 22nd June 2017, Kanishk decided to order free food from the Restaurant “Comesum” at Mumbai Central Railway Station.
Wallet Transactions & Food Donation Pictures
Kanishk expected some confrontation over these free orders. When IRCTC officials failed to notice such irregularities, he tweeted to all the concerned authorities, dropped a message on the official site of then Railway Minister, Shri Suresh Prabhu, and also tried calling Cert-In.
Kanishk states on his blog “Not being able to reach them after so many attempts, I was quite sure that they were ignoring the matter. There was nothing else I could do. The history speaks for itself. There has not been a single ‘Ethical’ vulnerability disclosure by someone on IRCTC’s entire infrastructure, till date. Only FIRs filed against the culprits who were caught hacking into their websites for all the wrong reasons.”
The E-catering subdomain & mobile application of IRCTC was re-launched on 3rd Feb 2018 During the redesign, IRCTC has managed to enforce HTTPS. But, according to Kanishk, there are still 2 IRCTC websites (Tourism & Corporate) that serve login pages over HTTP. The outgoing information is not even encoded & can be viewed by an Intruder in clear-text form.
Similar Issues found elsewhere
A Tweet by French security Researcher, who goes by the alias of Elliot Alderson, claimed that the Indian National Congress’s Mobile App was sending personal user info to a server in Singapore in HTTP form. The requested was encoded by base64 (weak).
When you create a profile in the official @narendramodi #Android app, all your device info (OS, network type, Carrier …) and personal data (email, photo, gender, name, …) are send without your consent to a third-party domain called https://t.co/N3zA3QeNZO. pic.twitter.com/Vey3OP6hcf
— Elliot Alderson (@fs0c131y) March 23, 2018
The official app of INC was soon deleted from the Google Play Store.
This came only a couple of days after Anderson accused the Prime Minister, Shri Narendra Modi’s Official App, NaMo, for collecting personal customer data (without consent) and sharing it with a foreign analytics firm.
— Elliot Alderson (@fs0c131y) March 26, 2018
The privacy statement on their official site was soon altered after the expose went viral.
While the Indian public is caught in a frenzy over these revelations, trying to decide which app amongst the both is more un-secure, the aforementioned HTTP issue in IRCTC still remains unresolved. The issues with the IRCTC digital infrastructure need to be rectified at the earliest as the volume of users is too big for the issue to be left unacknowledged.
It’s time for us as a society to introspect about our tendency to sideline and overlook the important voices that are emerging from our own tech community.
Link to Kanishk’s Blog: IRCTC – Not so Secure after all.
(Also Read: BLOCKCHAIN TECHNOLOGY: THE DIGITAL LEDGER FOR INDIA)