This 17 year old student learned ethical hacking in lockdown, thus saved the data of lakhs of passengers


  • P. Ranganathan is a 12th class student
  • Bug found while booking tickets
  • Learn how to get the help of ethical hacking

P Ranganathan Ethical Hacker: The name of a 17-year-old schoolboy from Chennai has become a well-known name in the world of ethical hacking. Because this student helped fix a bug on the Indian Railway Catering and Tourism Corporation’s (IRCTC) online ticketing platform after learning ethical hacking online. Due to which the personal information of lakhs of passengers was saved from going viral. Not only this, but this bug could also have allowed the hacker to cancel the booked train tickets of any unknown passengers by exploiting the IDOR (Insecure Direct Object Reference) vulnerability on IRCTC.

P. Ranganathan alerted the Computer Emergency Response Team and informed India’s train ticket booking platform IRCTC about this bug. Due to which the data of the users was saved from being hacked. Actually, there was such a problem on the platform of IRCTC, which could give access to the private information of lakhs of passengers to the hackers. Think of it as such that there was such a secret route on the IRCTC website, which used to access the private details of lakhs of passengers. Ranganathan not only discovered this error but also immediately conveyed its information to CERT-IN.

P. Ranganathan is a 12th class student
P. Ranganathan (17) is a commerce student studying in class 12 of a private school located in Tambaram, Chennai. During the lockdown, he started learning ethical hacking online while studying. Today he has found flaws in many national and international websites and rectified them. Like other children, P. Ranganathan also spends a lot of time on the computer screen, but he does not waste his time playing online games or watching series. He does bug bounties in his spare time and this specialty makes him different from other kids.
Also read: Career After 12th: Excellent Career Scope In Travel And Tourism, Know Course And Skill Details

Bug found while booking tickets
According to P. Ranganathan, one day he was booking a seat in the train for a member of his family. For which they went to the website of IRCTC. He found a big flaw there. However it was just a coincidence. He says, “It was not like I was looking for a bug, in fact, I was booking tickets online. As soon as I completed all the formalities for booking the ticket, I got the Critical Insecure Object Direct Reference (CIODR) vulnerability on the website to give them name, gender, age, PNR number, train details and departure station and date of journey to other passengers. Enabled to access travel details of

Ranganathan said that, since the back-end code is the same, a hacker could take advantage of this glitch on the IRCTC website to cancel tickets as well as change the passenger’s boarding station, order food, hotel booking, tourist package and so on. Even the bus could be booked. The biggest reason for this flaw was that it threatened to leak a huge database of millions of passengers.
Also read: To do digital marketing course from IIT Delhi, then take admission like this, you will get better career options

problem solved like this
When Ranganathan informed CERT about this bug of IRCTC, CERT created a question mark ticket for it within minutes. Ranganath told in the mail to CERT that first of all go to the ticket history of your account, turn on Burp Suite and click on any ticket. Now change the transaction ID, which will give you access to the second ticket, where you will get all the sensitive data. Here you can also cancel someone’s ticket. Ranganathan explains that the bug was fixed five days after the information was received. Also it was accepted by IRCTC that there was a bug on their website, as well as they got a citation for it.

Ranganathan said that prior to this achievement, he had reported discovering security vulnerabilities on his web applications to companies including LinkedIn, United Nations, Nike and Lenovo, which led him to receive security offers and gratitude from several companies. have met. Ranganathan wants to pursue a career in computer science while continuing his research in the security of web applications.


Scroll to Top