Wednesday, April 16, 2008

Serious security issue with IRCTC website

The login form of the IRCTC web site is being submitted over HTTP in plain text. This is a very serious issue since both your user ID and password could be sniffed by someone. One thing that I observed was that they have a HTTPS server running and this server is capable of receiving login requests. I think it was a bug in the code that the developer gave the URL as HTTP instead of HTTPS.

How to overcome the issue? This is not a clean approach but works fine. You can copy and paste the URL "https://www.irctc.co.in/cgi-bin/bv60.dll/irctc/services/login.do?userName=XXX&password=YYY" in your browser. Replace the XXX with your user ID and YYY with your password.

I tried to send a feedback about this to the site admin or someone in charge. Pathetic ... I could not find any link/email address in that website to do this. Hopefully someone from IRCTC will read this blog and fix the issue.

6 comments:

Lavnish said...

hhmmmm nice finding buddy
sad but true... the government websites in country of techies ... guess thats why china is easily attacking indian government servers

more at
http://lavnish.blogspot.com/2007/05/wwwindianrailgovin-usability.html

Mayank said...
This comment has been removed by the author.
Mayank said...

Good catch, and I found another serious security problem here:
http://blog.mayankkapoor.com/2008/06/security-hole-on-irctc-train-ticket.html

PRK said...

Wait a minute! Do you say that they send the password as plain text in the URL?

pleh said...

Have you heard of these....
In 1982 a Lockheed F-117 aircraft was crashed because of a software bug. The software interchanged the "yaw rudder" with "pitch elevator".
Becauseof a code number mix-up, in September 1994, three parking offenders in Bayreuth, Germany got charged with "preparation of a war".
In 1985 in a assembly hall of General Motors all the black cars were assembled without the windscreen. Why? Because a Robot couldn't recognize the "Black" color.
The "shutdown molody" of the Siemens S65 mobile was so laud when the battery was faint, some even got hearing damages.
In 1996 a Prototype of the Ariane 5 rocket of the european space agency was destroyed because they used the software from Ariane 4 rocket.
1985 - 1986 few patients were killed in a hospital in USA because the medicine dose was calculated wrongly.
In 1962 NASA lost their 80 Million Dollar "Mariner 1" because of a missing "hyphen" in the program code.
Because of a "prefix" error in a F-16 Attack Aircraft, it turns upside down every time it flew over the equator.
NASA Mars Lander
Failed translation English units into metric units
major error in spacecraft's path as it approached Mars
Crashed into the planet
Shut off descent engines prematurely
Taxpayer cost: $165 Million
IN 1988, the US Vicennes shoots down Airbus 320
290 human lives lost
“cryptic and misleading output displayed by the tracking software “
Im still digging for fatal flaws of2000!!
But still Software are manmade! and here no one is infallible

Bhanu said...

Hello,

Thanks for posting such a great information on India railways, but I think the main issue with IRCTC is the REFUND.
The refund policy is very bad, it may take more then 3-4 months even after many followups via emails and even send a written complaint to the GM of Indian Railways.. This is the only drawback, our Govt. should take some action and improve the refund policy so that customer do not face at least refund problem.