RailYatri’s unsecured server exposes critical data of 7 lakh Indian users: Security firm

If you have booked tickets from RailYatri then chances are high that your personal details including banking information have leaked online. A security firm has found a vulnerability in online train and ticketing platform RailYatri and has alleged that data of over seven lakh users’ have been exposed due to unprotected server. This data allegedly includes name, phone, email, UPI and debit card information of users. The claim has been denied by the company.

Government-approved web and app service provider — RailYatri that helps users in booking IRCTC bus and train tickets, check live train times, journey progress, offline timetables, check seat availability and offline GPS train status. The Noida based company has got more than 10 million downloads on Google play store.

The loophole in the unsecured server was found by a team of researchers led by Anurag Sen at Safety Detectives, a United Kingdom-based cybersecurity company. The found the exposed Elastic search server on August 10 with 43GB data.

The security firm in its report said that the firm’s elastic search server was not password protected or encrypted and was available for access by anyone who had the server’s IP address. Information that was exposed included full names, age, gender, address and email address, phone numbers, payment logs, partial records of credit and debit card information, UPI ID, train and bus ticket booking details, travel itinerary information, users GPS location, user session logs including login times and more.

Safety Detectives also said that three days after they detected the vulnerability, “the server became the target of a Meow bot attack, leading to the deletion of almost all server data.” A Meow bot attack is an automated attack script that attacks open databases online and overwrites the data.

The information stored in RailYatri’s server can reveal a lot about a person, including their address and travel plans. This can be used by attackers or malicious actors to create targeted hacks for these people. Plus, because of the location and travel data, there’s an issue of physical safety as well.

However, in a statement to NDTV, the Railyatri team said it is trying to resolve the vulnerability that was spotted.”At RailYatri, we take the safety and privacy of our user-base seriously, and as soon as the issue was brought to our notice by CERT-In (Indian Computer Emergency Response team) a week back, our team was instantly on its feet in efforts to resolve the issue then and there. Post receiving the information, the testing server port was plugged immediately from the network. The server in question was a test server, and some of our logs were partially replicated on the same. As a general protocol, any and all data older than 24 hours are automatically deleted from the server.” the statement by Railyatri read.

The team also claimed that the data of 7 lakh users was exposed due to the security flaw found in the ticketing platform. “Further, we would like to clarify that report suggesting 7,00,000 email addresses leaked in 3 days is factually incorrect as it would be impossible for that to happen since the server contains at most a days-worth of data,” the team said in a statement.

However, Railyatri outrightly denied claims of storing users’ financial data on its platform. Rubbishing the reports, they said, “We would like to assure our users that RailYatri does not store financial and other sensitive data with the exception of some partial details. We do not store credit card data on our servers. Data privacy is of utmost importance to us, and we have taken a thorough look at the issue to address it comprehensively. We are committed to the safety of user data.”

Safety Detectives said that after it was first discovered, it informed RailYatri, but as it didn’t receive a response, it reported its findings to the Computer Emergency Response Team (CERT-In), India’s nodal agency to deal with issues of cybersecurity. After this, the server was secured the next day, the report said.