Ethical hacker Kanishk Sajnani how hacked Air India and booked a ticket Mumbai to San Francisco for 1 Rs.
Air India was not the only instance of ethical hacking, Sajnani also successfully hacked into the website of SpiceJet, as well as the Cleartrip app. Most recently, Kanishk ordered food for Rs 7 on the Indian Railway Catering & Tourism Corporation (IRCTC) website while travelling to Mumbai.
The shocking fact, however, is that despite warning the authorities of this anomaly, they did not act upon it for seven months. Anybody with basic hacking skills could order food for free this way on the website. Sajnani also informed the concerned authorities that their other two websites–IRCTC Tourism and IRCTC Corporate were also vulnerable. While IRCTC rectified their mistake for the e-catering website, the other two sites remain frightfully exposed.
He had realised the vulnerability of the IRCTC website in June 2017 and dutifully informed the Chairman of the corporation on June 14 and Railway Minister Suresh Prabhu on June 25, in a set of e-mails.
He further tweeted about it on July 5, tagging the Ministry of Railways and IRCTC–to no response.
Self-taught Sajnani then went on to order food from the website while travelling from Ahmedabad to Mumbai. His first order of “Kadhai Chicken” for Rs 1.3 was paid through the online wallet service MobiKwik and the second order of “Butter Naan” for Rs 6.12 was paid through Paytm. The original prices for these items were Rs 163 and Rs 68 respectively.
IRCTC launched its revamped webpage and app on February 3, 2018, with a new User Interface, forced HTTPS, and a payment gateway that offers most wallet options, except Paytm and MobiKwik.
Sajnani is a computer engineering drop-out, currently pursuing professional courses that will upgrade his knowledge. He has also rejected an internship opportunity offered to him by a mobile wallet company. He rues that there are no Bug Bounty programmes in India. These Programmes are deals offered by many websites and software developers to individuals for reporting bugs, especially those pertaining to exploitation and vulnerabilities. These usually involve rewards and recognition. Across the seas, however, the US government has an official bug bounty programme running through ‘HackerOne’, the world’s largest bug bounty platform.