Major bug in IRCTC can allow hackers cancel train tickets booked by passengers: Top facts
For last the few years, Indian Railways Catering & Tourism Corporation (IRCTC) has made headlines for wrong reasons particularly related customer data leaks on its websites and how slow it takes time to fix it.
And yet, the state-run firm seems to have learnt any lessons, as a new report has emerged that there is a flaw in the IRCTC that would allow hackers to cancel train tickets of the passenger without notice.
Fossbytes citing Ronnie T Baby, a cybersecurity enthusiast and a student at Karunya University has claimed that IRCTC despite having Captcha, a protocol to differentiate a human from a computer-based cyber attack is still vulnerable to hacking and cause inconvenience to the consumers.
Thanks to innumerable attempts options to reset a password for the ticket bookers, a cybercriminal can use brute-force technique to crack open their account and cancel the booked tickets.
Screenshot of the IRCTC’s new website IRCTC
Yes, even if the user receives One Time Password (OTP) every time to reset a password can be gained by a cybercriminal using a sophisticated algorithm that can generate millions of number codes in quick time and hack the account.
Since Railways is using 6-digit OTP, the algorithm can easily bring 999,999 combinations, which will one correct password and help criminals to log in to the consumer account.
Thankfully, Railways, unlike before has, reportedly fixed the glitch that allows users the innumerable attempts to log in to the account despite repeated wrong password and OTP.
In a related development, Indian Oil Corporation-owned Indane, one of the biggest Liquid Petroleum Gas (LPG) suppliers in India faced similar glitch on its website.
It caters to more than 90 million customers, but apparently, its weak website and mobile app security, it allowed an ethical hacker to pull several millions of customer details and Aadhaar details, in addition, to hundreds of distributers information.As per the latest reports, it has been fixed.