The 22-year-old college dropout from Ahmedabad then immediately notifed IRCTC about the flaws in its website that let him do so!
Kanishk Sajnani, an ethical hacker from Ahmedabad, is gaining fast popularity for finding lapses in the cybersecurity of Indian companies.
His name first started getting around in the ethical hacking circuit when he broke into the online portal of Air India and booked a flight from Mumbai to San Francisco for Re 1.
But instead of availing this golden opportunity, he e-mailed the CEO of the company informing him of the loopholes in their system.
Air India was not the only instance of ethical hacking, Sajnani also successfully hacked into the website of SpiceJet, as well as the Cleartrip app. Most recently, Kanishk ordered food for Rs 7 on the Indian Railway Catering & Tourism Corporation (IRCTC) website while travelling to Mumbai.
The shocking fact, however, is that despite warning the authorities of this anomaly, they did not act upon it for seven months. Anybody with basic hacking skills could order food for free this way on the website. Sajnani also informed the concerned authorities that their other two websites–IRCTC Tourism and IRCTC Corporate were also vulnerable. While IRCTC rectified their mistake for the e-catering website, the other two sites remain frightfully exposed.
He had realised the vulnerability of the IRCTC website in June 2017 and dutifully informed the Chairman of the corporation on June 14 and Railway Minister Suresh Prabhu on June 25, in a set of e-mails.
He further tweeted about it on July 5, tagging the Ministry of Railways and IRCTC–to no response.
Self-taught Sajnani then went on to order food from the website while travelling from Ahmedabad to Mumbai. His first order of “Kadhai Chicken” for Rs 1.3 was paid through the online wallet service MobiKwik and the second order of “Butter Naan” for Rs 6.12 was paid through Paytm. The original prices for these items were Rs 163 and Rs 68 respectively.
When Ahmedabad Mirror asked him why it took him so long to come out with this publicly, he said “I was waiting for IRCTC to take corrective action so that the flaw could not be misused. They repaired the breach on February 3, 2018.” Kanishk didn’t eat the food but gave it to a homeless person outside the Mumbai Central Station.
He paid via two wallets to prove that the problem wasn’t just with the mode of payment but the IRCTC website. Additionally, the website was not protected by HTTPS secure transfer protocol and instead was running only on HTTP.
When asked why Kanishk paid more for the naan than he did for the chicken, he chuckled and told the publication that he always brought the amount down to Re 1 but wished to pay a higher amount that time. Kanishk noted that the other two IRCTC websites also did not run on HTTPS but instead used HTTP and continue to do so. In fact, the information on them is not coded securely but is in clear text.
IRCTC launched its revamped webpage and app on February 3, 2018, with a new User Interface, forced HTTPS, and a payment gateway that offers most wallet options, except Paytm and MobiKwik.
Sajnani is a computer engineering drop-out, currently pursuing professional courses that will upgrade his knowledge. He has also rejected an internship opportunity offered to him by a mobile wallet company. He rues that there are no Bug Bounty programmes in India. These Programmes are deals offered by many websites and software developers to individuals for reporting bugs, especially those pertaining to exploitation and vulnerabilities. These usually involve rewards and recognition. Across the seas, however, the US government has an official bug bounty programme running through ‘HackerOne’, the world’s largest bug bounty platform.
(Edited by Shruti Singhal)