Unmasking a Major Security Flaw: Accessing and Controlling User Data and Travel Bookings On KSRTC Website
In this blog post, I’ll explore a critical security vulnerability known as Insecure Direct Object References (IDOR), which I recently uncovered. IDOR occurs when an application exposes references to internal implementation objects, allowing attackers to access unauthorized data by manipulating these references. In my case, I discovered that by exploiting this vulnerability, I could retrieve sensitive Personally Identifiable Information (PII) such as Aadhar Card details, addresses, and mobile numbers of any user. Additionally, the vulnerability extended to accessing detailed travel histories, booking records, and even downloading travel tickets. The severity of the flaw was highlighted by my ability to cancel any user’s travel tickets at will. This post will delve into the specifics of how IDOR facilitated this unauthorized access and discuss potential remedies to prevent such critical security issues.
Here’s a generic step-by-step breakdown of how I have exploited the vulnerability to access user PII and ticket information:
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
1. Identify Entry Points: I started by identifying parts of the application where user-specific data was accessed, such as profile pages, travel history sections, or booking management interfaces.
2. Analyze Object References: Next, I analyzed how the application referenced user data. This often involved inspecting URLs, form fields, or API requests to find patterns in how user IDs or other identifiers were structured.
3. Manipulate Identifiers: By modifying these identifiers — such as changing numbers or tokens in the URLs or request parameters — I was able to bypass access controls. This allowed me to view and interact with data belonging to other users.
4. Access PII: Using this manipulation, I retrieved sensitive Personally Identifiable Information (PII) including Aadhar Card numbers, addresses, and mobile numbers of other users. The application did not properly validate whether the requester had permission to access this data.
5. Fetch Travel Information: I then extended my tests to travel-related data. By altering object references linked to booking records or travel history, I accessed detailed information about other users’ travel activities and booking details.
6. Download and Manipulate Tickets: Further manipulation of identifiers enabled me to download travel tickets for other users. Additionally, I discovered that I could cancel these tickets, highlighting a severe lack of authorization checks in the system.
7. Exploit Findings: I documented these findings, demonstrating how the IDOR vulnerability could be exploited to compromise user privacy and manipulate travel bookings.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Recently, I took a few days off to travel to some holy places with my parents. I began by booking our tickets and making all the necessary arrangements for the trip.
As I was planning our trip, I looked into various travel options and realized that traveling with KSRTC would be the most suitable choice for my destination. Given that we were planning to travel out of state, their facilities and services seemed to fit our needs perfectly.
I then fired up my laptop, booked the tickets without a hitch, and downloaded them using the provided option. At this point, I was just a regular KSRTC customer, not a hacker minded — yet! Hahaha.
I quickly realized something and hovered my mouse over the ‘Download Ticket’ button once more.
Amazing……………….!!!!!!!!!!!!!!!
I noticed that the application uses the PNR number as a unique identifier for the ticket download endpoint. Curious, I copied the download GET URL and pasted it into a new tab to investigate further. The URL looked like this
After changing the PNR number in the URL to someone else’s PNR, I was able to download another customer’s travel tickets.
This issue confirmed that the application was vulnerable to ‘Insecure Direct Object References’ (IDOR). Intrigued, I decided to investigate further, which led me to access sensitive customer account details, including Aadhar numbers and home addresses.
I promptly contacted the KSRTC technical team via email, reporting the vulnerability in an ethical manner and giving them the opportunity to address and remediate the issue.
Although KSRTC did not acknowledge or appreciate my report, I take satisfaction in knowing that my cybersecurity skills made a positive contribution to the community by identifying and addressing this vulnerability.
This could have been a major security incident, as the impact was significant. Malicious users could have exploited this vulnerability to access other users’ PII data.
Fortunately, the issue has now been secured.
Disclaimer: This information is provided for educational purposes only. I urge everyone not to misuse this security flaw on any other websites, including KSRTC.
Happy hacking and learning! 🥂🥂🥂🥂 Cheers to new discoveries and insights. See you in the next write-up!
