Thursday | March 26, 2009 | 3:03 pm
IRCTC privacy/security breach !!

UPDATE: IRCTC has fixed this issue :)

Ever booked Railway Tickets online in India ?
If yes, then you must have used irctc.co.in

The site does a great job with the interface and everything.

But recently I found a very severe privacy/security breach on the site.
When you are on the Print Ticket page, copy the address which looks something like this:

https://www.irctc.co.in/cgi-bin/bv60.dll/irctc/services/printTicket.jsp?UserRole=Normal&PassString=NNNNNN&ID=null&transID=0102986022


Now the thing to note about this page is that, you can open this page anytime without your username/password.


Also, if you change the number at the end of the address(that is 0102986022 in the above example address), to something like 0102986023 or 0102986053 or 0102987022, you can see tickets of random people without any sort of restriction.

This is a serious privacy breach that we are able to view people’s tickets.

I don’t know if IRCTC is aware of this. I have intimated them about this on their site, but I haven’t heard from them yet.

Comments (View)
blog comments powered by Disqus