Developer uses flaw in airline website to find exchanged suitcase – Antivirus and Security – Tecnoblog

When does the plane land successfully? None of that. What makes people most relieved at an airport is when their luggage appears on the carousel. If not, panic sets in. That’s what happened to software engineer Nandan Kumar. He managed to retrieve the lost suitcase, but to do so, he followed an unusual path: he “hacked” the airline’s website.

Person with suitcase (Illustrative image: rawpixel.com/Pexels)
Person with suitcase (illustrative image: rawpixel.com/Pexels)

An identification tag that comes off or a very short time interval between connections are among the factors that can cause a person’s luggage not to appear on their flight’s carousel.

Sometimes the luggage appears but is mistakenly picked up by another passenger who has the same suitcase. That was the case with Kumar. He just realized he had the wrong suitcase at home. The confusion was made by a person who arrived at the conveyor belt first, saw Kumar’s suitcase and picked it up, thinking it was his own luggage.

Noticing that he had the wrong luggage, Nandan Kumar extracted the PNR (Passenger Name Record – passenger identification code) from the bag tag and contacted IndiGo, the airline with which he made the flight, in the hope of contacting the other passenger and solve the problem.

Because of its privacy policy, IndiGo refused to share the other person’s data, but promised to call Kumar when in contact with them. But the call never came.

Distressed by the lack of response, Kumar went to the airline’s website and, from there, began looking up the other passenger’s PNR in the hope of finding his address or phone number.

Did not work. That’s when the software engineer hit F12 on his keyboard for the developer console to open in the browser. The intention was to find logs that could contribute to your search. Suddenly, the surprise: even though it didn’t appear on the website, the console showed that the other passenger’s phone number was in the page’s source code.

Kumar called the number found, confirmed that the other person was on his flight, and arranged with them to exchange their bags. In fact, they were the same:

Exchanged suitcases (image: Nandan Kumar)
Exchanged suitcases (image: Nandan Kumar)

IndiGo should have encrypted the data

In an attempt to resolve an issue that directly affected him, Nandan Kumar discovered a serious flaw on the IndiGo website. To the report the story on twitterthe engineer himself explained that the data trafficked on the site should have been encrypted.

Kumar is right. The PNR can gather a lot of data about a person and, therefore, its treatment must follow basic security principles, not least because obtaining this code is not difficult.

It can happen, for example, that a traveler publishes photos of their luggage or ticket (the PNR also appears on the ticket) on social media without realizing that their identification code is appearing in the image.

Kumar’s tweets on the subject had a relatively large repercussion, which is why the airline used twitter to state that “their IT processes are completely robust and that at no time has the IndiGo website been compromised”.

In any case, the company promised to analyze the case. It is to be expected that this will include a review of your care procedures: BBC, IndiGo explained that it tried to call its customer, but the calls went unanswered. It just seems like it wasn’t.

Still on Twitter, Kumar reported asking the other passenger if he had received calls from the airline and the answer was negative. For the software engineer, IndiGo had said that he tried to call his flightmate three times.

Leave a Comment