Monday, May 22, 2017

Hacker reveals how a bug in Air India, ClearTrip, SpiceJet apps could have allowed one to roam the world for free

Ever aspired to take the air route to travel the world, but always ended up with disappointment owing to costly fares? Then you might find this interesting. Kanishk Sajnani, a 20-something guy with enormous interest in meddling with codes discovered vulnerabilities in the ticketing systems of some of the most popular airlines operating in India and not only did he discover threats, but was able to exploit the bug to demonstrate the possibilities of booking flights, hotels, etc. all across the world and paying nothing, all without being traced.

A self-proclaimed white hat hacker, Sajnani detailed his adventurous encounters with the bugs in applications of Air India, SpiceJet and travel site Cleartrip in his Medium post. Sajnani’s hacking spree dates back to 2015 when he hacked into Air India’s API to discover a vulnerability that allowed him to book a ticket at more than 95 percent discount. After duly informing the company about the bug, he assisted them in resolving the issue in turn for an internship opportunity at the national carrier (although, he says he never took up that opportunity).

“The major flaws were in the Website-Payment Gateway Integration. Somewhere in the middle, I was able to change Transaction Values due to reasons such as Improper checksum validation Or Poor client-side APIs. I exploited the flaws using Proxies such as Fiddler Or Burp suite. I have not mentioned any technical details in my article due to the fact that there are still many websites/ applications that can be exploited because of the same vulnerability,” Sajnani told BGR India.

While Air India officials were prompt in acknowledging and resolving the matter. People at SpiceJet appeared to have misunderstood Sajnani’s emails about bugs as a job application and redirected him to a different email address. Even reaching out to the c-suite executives failed to get him the response he desired – of acknowledging there was a security vulnerability in the system. To demonstrate the bug, Sajnani booked a ticket from SpiceJet’s mobile app where instead of the Rs 4,028 ticket, he paid just Rs 4. After waiting for weeks to see if the systems detected the erroneous payments before his date of travel, Sajnani canceled his ticket.
Now instead of locating the bug, the company instead sent him a mail for cancellation of the ticket and that he was eligible for Rs 2,000 of refund. So, not only the bug allowed him to book a ticket for just Rs 4, but also made him eligible for a hefty refund. Despite reaching out to the company, Sajnani’s concern went unheeded and as he says in his post, he left the company to “God’s good grace.”
Even bizarre was the bug-hunting experience with ClearTrip. Not only the bug could allow one to book tickets, but also restaurants, hotels, even massages for free. For making payments, Sajnani used MobiKwik wallet and realized that payments could be tempered with. As a proof, he sent the company reproduction video of the whole episode. As soon as Sajnani reported, the company took down the app without further informing him about whether his efforts were acknowledged and if the bounty was flowing in.
22/05/17 Deepali Moray/BGR

0 Comments: