Chennai: A 17-year-old school student from Chennai’s Tambaram has identified and helped the Indian Railway Catering and Tourism Corporation (IRCTC) fix a bug in its online ticketing platform. Notably, the bug could have exposed millions of passengers and their private information. After P. Renganathan raised the alarm, the bug has been fixed and was also acknowledged by the IRCTC.Also Read - Viral Video: After Man Refuses to Take Covid Vaccine, Here's What His Friends Did Next | Watch

According to an IANS report, Renganathan was logging into the IRCTC site for booking a ticket, when he found that he could access the details of other passengers that could compromise the security features of the website. The critical Insecure Object Direct References (IODR) vulnerability on the website helped him to access the journey details of other passengers including name, gender, age, PNR number, train details, departure station, and date of journey.

Ranganathan said that as the back end code was the same, a hacker could have ordered food in the name of another passenger, changed the boarding station, and even cancelled the ticket without the knowledge of the passenger. He said that more than this, there was the risk of the database of millions of passengers being compromised or leaked.

The teenager then reported the matter to the Computer Emergency Response Team (CERT) on August 30, and the IRCTC was alerted.

“I accidently discovered a critical IDOR that leaks the transaction details of millions of travelers, when I was trying to book tickets on August 30. It was the most common bug. Immediately, I reported about it to the Indian Computer Emergency Response Team (CERT-In),” P Renganathan, a plus two student of a private school in Tambaram here, said.

The IT wing of the IRCTC which took note of the complaint, and resolved the vulnerability issue in four days. “Our e-ticketing system is well protected (now). The issue was reported on August 30 and it was fixed on September 2,” an official said. On September 11, 2021, Renganathan also received a mail thanking him for reporting the incident.

The teenager had earlier got acknowledgments from Linkedin, the United Nations, Nike, and several others for alerting them of the vulnerabilities in their websites. According to a Hindu report, Renganathan wants to pursue a career in Computer Science, while continuing independent research on security of web applications.

(With PTI & IANS inputs)