Security hole on IRCTC's portal, lets you book free train tickets

There is a security hole on IRCTC's online train ticket booking portal which lets you use a GET request to make the payment for a train ticket, without actually making any payment through your bank. Let me take you through this story.

Today, a fine Sunday morning in Switzerland, I wanted to book my train ticket on www.irctc.co.in to travel from Delhi to Bhopal. I think I had too much time on my hands. I noticed that when I finished making the payment on my bank's payment gateway using the direct debit payment option in IRCTC, the bank gateway confirmed the payment using a GET request, i.e., a URL which goes something like the following:

https://www.irctc.co.in/cgi-bin/bv60.dll/irctc/booking/bankresponse.do?ClientCode=4567&MerchantCode=IRCTC&TxnCurrency=INR&TxnAmount=1581.00&TxnScAmount=11.23&MerchRefNo=1234567890&StSucFlg=N&StFailFlg=N&Date=06/01/2008+12:09:00&BankRefNo=601120915&Message=&method=T&methodtype=

I copied this to my clipboard and wondered if this can be used to confirm tickets which are waiting for payment confirmation in IRCTC's portal. So I did the following:

  1. Started to reserve a ticket on the IRCTC portal, e.g., travel from Delhi to Bhopal.
  2. When the portal took me to my bank's payment gateway, I didn't make the payment.
  3. Then I modified the above GET request to suit the ticket I had just booked (using information I found on the IRCTC portal), entered it in the firefox address bar and hit enter.
  4. The IRCTC portal confirmed that I had booked my ticket, and I saw that my reservation was confirmed.
Wow, I can use this to book free train tickets in India. Plus I can also cancel this ticket and IRCTC will refund the money for the ticket, the money I never paid. Sadly, the good guy in me forced me to send an email to care@irctc.co.in to inform them about the security hole. Dammit!

I love software.

UPDATE Aug08: They seem to have changed the process of confirming the bank payment, maybe after I sent them the email, but they are still using a GET request. A basic rule is that one should never use a GET request to change something at the database. These guys are violating this rule blatantly by confirming the payment from the bank and changing the status of the train ticket on the database using a GET request.

UPDATE Nov08: Now the IRCTC portal uses only POST requests to confirm payments from banks. That's the right way to do it IRCTC. Security hole fixed.

Posted by Mayank on Sunday, June 01, 2008 6 comments

Labels: ,

Subscribe to: Posts (Atom)