P Renganathan, like all teenagers, spends a considerable amount of time online but what he does is rather unique. The 17-year-old student of Class 12 from Chennai is a bug bounty hunter in his free time.
Speaking with The Better India, he says, “I am a commerce student interested in business and its development. But this is an interest that I developed when the first lockdown was imposed. Being online so much led me to start reading about bug bounty hunters and that intrigued me to find out more.”
It was by sheer coincidence that Renganathan stumbled upon a flaw on the Indian Railway Catering and Tourism Corporation (IRCTC) website while making a booking for a family member. He says, “It was not like I was looking for a bug on the website. Just as I was completing the ticket booking formalities, I looked to see if the Insecure Object Direct References (IDOR) vulnerability was present. This is a common vulnerability that developers often seem to overlook and this can cause serious threats to the data on the server.”
A vulnerability is nothing but a security flaw or error which is not supposed to be present on the site. Bug bounty hunters are essentially security researchers who hunt for such flaws and bring it to the notice of the website owners. Internationally, there are some organisations that pay the bounty hunters for finding and reporting the flaws. However, in India, that is not the case. Renganathan says, “The bug bounty hunters are paid according to the severity of the threat or flaw that is discovered.”
No Hall Of Fame For Hackers
Speaking of the severity of the vulnerability he found, he says, “I found that the critical Insecure Object Direct References (IDOR) vulnerability on the website allowed me to access the journey details of other passengers such as name, gender, age, PNR (Passenger Name Record) number, train details, departure station and date of journey. Furthermore, with these details, I could also modify and cancel the trip of the passenger, order food and make other changes as well.”
All this could be done in such a way that the passenger would not even come to know of the modification or cancellation that has been carried out. “Not just this, the flaw posed a huge security threat because the details of millions would have been compromised if someone had to access it,” he adds.
The flaw that allowed Renganathan access, which has now been fixed, was to do with the 13-digit transaction id of each passenger being accessible.
“I could use the transaction id to change and modify the booking rather easily,” he says.
Just after he found this flaw on 30 August 2021, he alerted the Computer Emergency Response Team (CERT), India, which is a nodal agency set up by the Ministry of Electronics and Information Technology, Government of India to deal with cyber security threats like hacking and phishing. They also run a responsible disclosure programme under which ethical hackers can report any vulnerability that they find.
Within 30-minutes of the issue being brought to the notice of CERT, a ticket number was assigned to Renganathan and the issue was resolved within a few days. He says, “I did go back to the website after four days to check and found that the issue had been resolved. A week after, I received an official intimation that the issue was fixed.” Subsequently, Renganathan also received a letter of appreciation for the work done.
While there are many who are constantly on the lookout for such bugs online, Renganathan says that most efforts are directed at securing websites outside of Indian jurisdiction. “This is because countries like the Netherlands and the US offer monetary compensation and also some interesting merchandise like t-shirts for the bug bounty hunters. In India, all we get is an appreciation email,” he says. He also mentions that in the US, the Department of Defence, runs a programme of disclosure and the names of such ethical hackers are added to a wall of fame on Hackerone.
But this was not the first tryst with finding online flaws on websites for him.
In October 2020, he had found a bug on LinkedIn, which allowed him to crash any user’s phone just by sending them an invitation request. “I was able to bypass the 300-word count limit while sending a connection request and made it to be more than a million-word count. The app could not render the whole text and in turn ended up crashing the system. LinkedIn also did not pay but acknowledged my work.”
United Nations, Byjus, LinkedIn and Nike are some other websites that Renganathan found bugs on and also got acknowledged for. So far, Renganathan has received monetary compensation of more than $100 and also letters of appreciation from various companies based abroad.
“While I know some parents do not like their children spending too much time online, mine are happy with all that I have been doing and are also proud of me,” he concludes.
(Edited by Yoshita Rao)