How I could have travelled the World for Free
Hacking into Air India, SpiceJet & Cleartrip.
Hey there! Before we jump into the details, Just to clarify a few things:
- I Hack Ethically. No personal gains. Although, I believe hackers should be positively awarded for their contributions.
- The reason why I’m writing this article today is to inform more people about the possible security lapses & encourage Indian Firms to opt for Bug bounty programmes to counter the same.
Until now, I’ve hacked into a Dozen of Indian companies. Mostly all within a Month last Year. It’s a big deal, right? A 20 something guy with no professional expertise, Just a passion to hunt gold, can be such a big pain in the ass to the corporates xD Not trying to brag here. Just portraying the current security scenario in the country.
I wouldn’t say I stumbled upon their API’s accidentally while working on a weekend project or something. I deliberately tried to hack into each one of them. This is just something I love. Obviously, I never shared any of my findings with anyone else. I’m doing it now because their applications have been updated & thus bugs have been removed.
I reached out to the CEO of Air India through e-mail on 4th Nov 15'.
Received an unexpected phone call from their Manager(Finance) on 12th Nov 15'. He asked me to prove if such a vulnerability existed & Oh boy! Did I?
This was a legitimate PNR generated airline ticket. I could have travelled to the States for absolutely free. Odds are they would have never even found out I did.
The Manager further enquired about the rectification steps required. I sent him all the details along with POC( Proof of Concept ) videos attached in mail. He also told me that they had their own IT team. I was keen on doing an Internship back then. He kindly accepted my request( I never actually interned though) & also thanked me heartily for the contribution I had made.
Now, this was one of the most bizarre experiences I ever had.
Just like Air India, I had found a similar vulnerability in SpiceJet’s Mobile application too.
The above ticket was booked on 28th October. Travel date was exactly a month after. I was hoping that the transaction would eventually get flagged & somebody from the Head Office would contact me. To my surprise, that never happened xD
I decided to drop a mail to some senior Official. Shockingly, I wasn’t even able to find out the email addresses of their CEO or CTO or CMO. All I could manage to find were these ( custrelations-nodalofficer & firstname.lastname@example.org) With no other choice left, I sent a similar email ( like one to Air India) to SpiceJet too. Their reply baffled me.
* Facepalm * I had to find an alternative, obviously. I tried reaching out to Mr Pradeep Shah (GM, Reservations)
As requested, I forwarded him the same e-mail I had sent to SpiceJet earlier. What followed was something I never expected.
They sent me our previous correspondence in a .eml type file attached *Double Facepalm * This time the mail was signed by their Nodal Officer. Either they didn’t understand the point I made Or they didn’t like to acknowledge the fact that their security was compromised.
The ticket was absolutely valid until I decided to cancel it myself on 21st November.
The cancellation mail didn’t mention any Refund Amount. Out of curiosity, I called their Helpline. The representative on Phone told me that I was eligible for a refund of around 2k ₹ & I can either choose to credit that amount in my debit card Or use it for my next trip. Easy money, right? 🤑
I could have not only travelled for free but also made money hand over fist. The financial systems in the back-end were obviously not able to detect any payment irregularities. Despite everything that happened, I decided to stay mum & leave them on God’s good grace.
With Cleartrip, I could have booked Flights, Hotels, International holidays, Trains, Restaurant dates, Massages, Cultural events, Sport Activities, Anything for Absolutely free.
A word of Advice: Never have such conversations over the phone. A written correspondence is must ( You’ll have proof in case something goes wrong) I made an excuse & asked him to continue over here Or on Facebook.
The day I made their POC videos, I had a couple of failed transactions too. One of them was automatically processed as ‘ Money Paid but failed’. A refund request was generated. My Mobikwik wallet was credited with 1199 Rupees.
So now I was getting Paid for a Massage too. Wow! Every Guy’s dream come true😆 But as usual( Boring :p) I decided to inform them that I had found Yet another bug.
Interestingly, that was the last time I ever heard from him. Mobikwik wallet was soon taken down from their Application & never put back up. I was under the impression that maybe they were updating the API’s. A month later, I finally emailed him back. Got nothing in return. Frustrated, I decided to write back to the co-founders.
Now, the least they could’ve offered me was a proper acknowledgement. Could have shown a little gratitude. I was not the one to ask for a reward. What a shame -_-
What I’ve learnt from my Experiences?
- Indian Companies don’t pay the attention required for security of their Products.
- No Application/Website is entirely secure. Chances are, maybe someone is already exploiting the bugs right under their nose.
- The only way they understand the Importance of Bug Bounty Programmes is through Public Humiliation. Damage control is obligatory once you get hacked. Best Example - Ola Cabs
- Ethical Hacking is rarely appreciated.
- The process of Resolution usually takes a lot of time here. I remember submitting a vulnerability to Mobikwik through their Official Programme. I was just able to Brute Force the OTP during Account Creation. They took like five weeks to get it over with & rewarded me with a sum of 2k ₹.
What needs to be changed?
Everything. From Cyber laws to the way security is dealt in our Country.
- Development & Maintenance isn’t everything. The company should be secure from any kind of hacking attempts. Leak of private customer details would mean a massive lawsuit coming your way.
- Every Big startup/company should opt for a Bug Bounty Programme Or at least have a Responsible Disclosure Policy. Platforms such as Hackerone Or Bugcrowd can be used too.
- Appreciate & Acknowledge those who find loopholes in your system.
- The Cycle of Bug Identification- Resolution- Reward should be as fast as possible.
- Companies that don’t have their own security Engineers can hire other firms to test their API’s.
I was inspired to start learning about Internet security around June 2015. A story about how someone hacked into something & got rewarded for the same would Pop-up regularly. I thought I could use these additional skills to my advantage too( Being a computer Engineer in the making)
I started out on my own ( bit by bit ) learning things from the Internet. No books to refer Or teachers to learn such stuff from. I would download the required tools/software & start experimenting. Initially, it was bit scary. I was afraid that this Hit & Trial method I used doesn’t cause me any legal trouble.
Eventually, I was able to understand everything. I found my first ever vulnerability in Faaso’s application. It was a Jackpot. I was able to lookup the details(Debit card, Addresses, Order History) of any customer just through their email address or Mobile number. Furthermore, I was even able to Order anything for free. I literally owned the application thereafter.
Full disclosure? I did order a Free Biryani couple of times 😆What surprised me was the fact that no-one from the store manager to delivery boy realised that they were being duped. The first time, I paid in cash after explaining them everything. The second time was a test & they failed again. I could’ve eaten more like a 1000 times.
Soon after, I found out the email address of their CEO Mr. Jaydeep Barman & mailed him. I even exchanged a few emails & calls with his brother(also CTO) As it usually happens, the vulnerabilities remained unpatched for almost six months until they hired a security firm ‘ Falliable’
I now find a unique interest in doing what I do. Some people may find this a bit boring, but for me, it’s like treasure hunt — Exploring & finding out stuff that’s never seen before. It’s time for me to further Polish my hacking skills. Looking forward to Join some professional courses .
Air India, SpiceJet, Cleartrip, Mobikwik & Faasos were the only companies I ever corresponded with. Never informed the rest of them about any Loopholes. For the same reason, I never mentioned any technical details in this article. Compromised list may still include some E-commerce websites, Home services, Travel agencies, Educational Institutions, Government applications, etc.
Here’s hoping that things would soon change for Good 🍻 This was fun.
~ Kanishk Sajnani
P.S. You can reach me at email@example.com Or firstname.lastname@example.org for any further Information.