Wednesday, April 16, 2008

Serious security issue with IRCTC website

The login form of the IRCTC web site is being submitted over HTTP in plain text. This is a very serious issue since both your user ID and password could be sniffed by someone. One thing that I observed was that they have a HTTPS server running and this server is capable of receiving login requests. I think it was a bug in the code that the developer gave the URL as HTTP instead of HTTPS.

How to overcome the issue? This is not a clean approach but works fine. You can copy and paste the URL "https://www.irctc.co.in/cgi-bin/bv60.dll/irctc/services/login.do?userName=XXX&password=YYY" in your browser. Replace the XXX with your user ID and YYY with your password.

I tried to send a feedback about this to the site admin or someone in charge. Pathetic ... I could not find any link/email address in that website to do this. Hopefully someone from IRCTC will read this blog and fix the issue.

Thursday, April 03, 2008

WTH is wrong with Tata Indicom

Tata Indicom has an amazing (?!) web site to manage all your accounts with them online. I don't know WTH is wrong with them, none of the login pages are being submitted over HTTPS. Yes, any n00b running a sniffer can sniff out your password and any other sensitive information you give with a little effort. On top of this, the page was submitted to an IP address, instead of a URL, which was beyond my wild imagination. I had to run a whois query on APNIC server just to confirm if I am talking to one of their servers.

I am surprised how on earth Tata Indicom claims to be the number one (or one of the top) telecom service provider in India, if they don't even know the seriousness of their user's identity.