.png)
2 days ago
10 BOOK THIS SPACE FOR AD
ARTICLE AD
What’s IRCTC?
IRCTC (Indian Railway Catering and Tourism Corporation) is a public sector undertaking that provides ticketing, catering, and tourism services for Indian Railways. Established in 1999 under the Ministry of Railways, it was listed on NSE and BSE in 2019, with the Government holding 67% ownership. As of December 2023, IRCTC has 66 million registered users, with a daily average of 7.31 lakh tickets booked. (Source: Wiki)
Recently, I discovered a critical Insecure Direct Object Reference (IDOR) vulnerability in the IRCTC eCatering portal that allowed an attacker to place food orders on behalf of any PNR ticket holder or IRCTC user without their knowledge. This flaw could have led to financial loss and reputational damage for innocent users.
Unauthorized Orders: An attacker could place food orders using any IRCTC user’s account or PNR ticket without their consent.Financial Loss & Wastage: This could lead to excessive financial loss and wastage of food as users wouldn’t be aware of these orders.False Allegations: IRCTC food courts might falsely accuse users of ordering food they never requested.Visit IRCTC eCatering PortalLogin using a valid IRCTC account.Click on “Book Food Order” and proceed.After identifying the vulnerability, I immediately reported the issue to CERT-In (Indian Computer Emergency Response Team). IRCTC acknowledged the report, and the vulnerability has now been patched to prevent exploitation.
Thanks for reading :)
Stay Safe.
https://www.linkedin.com/in/deepak-kumar-84613b18a
https://about.me/deepak7903800
Author: Deepak Kumar
Cyber Security Analyst | Ethical Hacker
Bengali (Bangladesh) · 
English (United States) ·