In the recent news, an IndiGo passenger has claimed to have discovered a “vulnerability” in IndiGo’s website using which he was able to locate the phone number of a co-passenger with whom his luggage was mistakenly switched. In a series of tweets, the software engineer, who goes by the name of Nandan Kumar, explained how he was able to find that IndiGo’s website “leaks sensitive data” that the airlines need to “get fixed”.
A Software Engineer Digs into IndiGo’s Website to Retrieve Details About His Lost Luggage
When IndiGo refused to help the passenger to trace the other person, Mr. Kumar stated that he was able to retrieve information about him from IndiGo’s website. On this case, IndiGo has stated that “at no point was the IndiGo website compromised”. Mr. Kumar who is also a software engineer says he’s not a proficient hacker but had to “do something” to retrieve his lost luggage. The tweets posted by Mr. Kumar mention that by the time he got to the airport luggage belt, a co-passenger had taken his bag and left.
The software engineer only realized the mistake after getting home, because both bags looked exactly alike. He was able to identify the other person’s Passenger Name Record number or PNR through a luggage tag, but when he contacted the airline to ask for information about the passenger, they refused to help, citing privacy and data protection rules.
Hey @IndiGo6E ,
Want to hear a story? And at the end of it I will tell you hole (technical vulnerability )in your system? #dev #bug #bugbounty ?? 1/n— Nandan kumar (@_sirius93_) March 28, 2022
After not getting a positive response from the airline, Mr. Kumar started digging into IndiGo’s website using his co-passenger’s PNR, in the hope of finding an address or a phone number. “After all failed attempts, my developer instinct kicked in and I pressed the F12 button on my computer keyboard and opened the developer console on IndiGo’s website,” Mr. Kumar said. “I thought ‘let me check the network logs’.” What he found was surprising – his co-passenger’s phone number. “To be frank, I only checked for a phone number or an email. Basically, anything I could use to get in touch to retrieve my bag.”
The Website Has No Security Lapses, Claims the Airline
The software engineer, Mr. Kumar suggested to IndiGo, “Fix your IVR and make it more user friendly; Make your customer service more proactive than reactive, and Your website leaks sensitive data get it fixed”. IndiGo responded with a note proclaiming that they were sorry for the inconvenience caused and assured us that IndiGo’s website had no security lapses.
— IndiGo (@IndiGo6E) March 29, 2022
Read more: North Korean State Hackers Exploit a Zero-Day Vulnerability in Google Chrome