Functionalities are user profile specific: IRCTC

Functionalities are user profile specific: IRCTC

29/09/2021

Special Correspondent CHENNAI

The Indian Railway Catering and Tourism Corporation (IRCTC) has stated that there is no chance of cancelling a train ticket by using a different user identity and password.

Referring to a report titled “Teen flags bug in IRCTC’s system” published in these columns on September 21, 2021, IRCTC’s spokesperson Anand Kumar Jha said that there was no scope to cancel a ticket or change the boarding station, by taking advantage of a vulnerability since the functionalities were user profile specific.

But, he said the issue of accessing the transaction details by changing the transaction identity had been fixed on second September 2, 2021.

P. Renganathan, 17, Chennai-based XII Standard student who flagged the issue had written to the the Computer Emergency Response Team stating that he had discovered a critical vulnerability that leaked the transaction details of millions of travellers.

Explaining how the private data could be accessed, Renganathan said that by changing the transaction identity one could gain access to others travel details.

To this, CERT thanked the teenager and confirmed by email that the vulnerability had been fixed.