How I Found Business Logic Vulnerability in Google Pay

I hope everyone has an experience in using google pay. I used to travel by train so usually book my tickets via GPay. I had an idea of testing the train ticket expiration, before doing that I went to https:/ /www.irctc.co.in and read about the business working of IRCTC in ticket cancellation.

IRCTC Ticket Cancellation Rule of E-Tickets

I got to know that the train cancellation cannot be done after the departure of the train and one cannot cancel the ticket once the Reservation List has been generated to TTR (Ideally It will be generated 3 hours before the departure of the train) so I want to try canceling my ticket after my train journey.

Yes!

It worked! I was able to cancel my ticket in google pay after the cancellation time is closed and even after my journey was completed. I understood the severity of this issue and reported it to Google VRP they replied with a P4 severity.

Google VRP Program Changed the program to P4

This seems to be a Critical Vulnerability as there was a monetary loss involved so I mailed them back explaining the severity of the bug and its impact on the business.

But their response was different which was not what I expected which made me rethink whether what I did was right or if something went wrong.

Google VRP program said to report this to IRCTC, then I realized I shouldn’t have reported this to Google VRP instead I should have reported this to IRCTC.

My biggest takeaway from this is
1. To know who is the creator of the bug and can resolve the loophole
2. To identify the impact of the bug early and hit the nail
3. It’s fine not to be recognized but the process of learning is much more important to stand in a better place than yesterday!
Happy Hunting !!!