IRCTC — Millions of Passenger Details left at huge risk!

Technical Details

API response showing transaction ID of passenger from PNR number
Passenger Information received as response
Passenger Detail

IMPACT — All Passenger Details can be accessed!

1000 Passenger details in less than 10mins
Passenger Detail
Another Passenger Detail
Some list of Passenger Details



First reach out to IRCTC and CERT team
Notified CERT team for public disclosure

Security Engineer @Microsoft | DevSecOps | Speaker | Breaking stuff to learn | Featured in Forbes, BBC| Acknowledged by Google, NASA, Yahoo, UN etc