Nilabh Rajpoot, a cyber security researcher, was booking his train ticket via IRCTC portal when he discovered a significant security flaw. The bug was found in its insurance portal that permitted unauthorised access to passengers’ travel details and allowed modifications to nominee information in the insurance policy.
The IRCTC portal, or Indian Railway Catering and Tourism Corporation portal, is an online platform operated by IRCTC, a subsidiary of Indian Railways. It serves multiple functions including ticket booking, tourism services, ticket cancellation and viewing PNR status.
IRCTC provides a travel insurance programme at a minimal premium of just 35 paise per passenger, offering insurance protection. This option is available exclusively during the train ticket booking process on the IRCTC website or app.
After booking the ticket, Rajpoot received two text messages. While one mentioned his seat number, coach and PNR, another message provided him with a link to update nominee details on the insurance portal.
A nominee for insurance is a person designated by the policyholder to receive the insurance benefits in the event of the policyholder's death or other covered events. The nominee can be a family member, relative, friend, or anyone the policyholder chooses.
The travel insurance policy, provided by the United India Insurance Co. Ltd. via the IRCTC portal, can be accessed by entering the individual's PNR and registered mobile number. After Rajpoot got done with updating the nominee details, his curiosity and cybersecurity expertise kicked in and prompted him to explore the portal beyond it.
"Initially, I entered my PNR and a made-up mobile number, and my insurance details still appeared. Then, I started entering random PNRs and fake mobile numbers," he told BOOM.
Rajpoot entered hundreds of PNRs and mobile numbers. Amidst several hits and misses, he managed to get a few instances where he could view passengers' travel and insurance details. "The details included journey date, train number, berth/seat, email, mobile phone, number of passengers accompanying, arrival and departure stations, transaction number and insurance policy information. In some cases it even showed the pin code of the arrival stop," he said.
Alarmingly, the researcher found that the portal also permitted changes to nominee details without the need for an OTP or any security question.
Rajpoot reported the issue to the Computer Emergency Response Team- India (CERT-In), on July 23, which communicated the vulnerability to the relevant organisation. "I received an email from the authority, on July 30, stating that the bug had been fixed and requesting confirmation for the same. After checking the portal, I verified that the vulnerability had indeed been addressed," he said.
IRCTC's past stints with data breaches
This was not the first time IRCTC had to deal with a potential data breach. In December 2022, Indian Railways experienced a significant data leak affecting approximately 3 crore individuals. It was reported that a hacker listed the stolen user data for sale on the Dark Web.
The compromised data includes user information and invoices. Specifically, it comprised usernames, emails, verified and unverified mobile numbers, gender, city name, state name, and language preferences. The hacker's sample data included records with emails and phone numbers of individuals who had purchased tickets from Indian Railways.
In 2018, security researcher Avinash Jain had also discovered a bug similar to the one identified by Rajpoot. This bug was present in IRCTC’s website and mobile app link that connect to a third-party insurance company for free travel insurance. Jain had said that within 10 minutes of discovering the bug, he was able to access the details of around 1,000 passengers.
Of the 3 companies offering rail travel insurance then, the vulnerability was found only in the link to Shriram General Insurance, and not ICICI Lombard General Insurance and Royal Sundaram General Insurance. The matter was reported to IRCTC on 14 August, 2018 while the bug was fixed on 29 August, 2018.
A month later, IRCTC had decided to discontinue the mandatory free travel insurance, making it voluntary as it is in its current form.