Nandan kumar Profile picture
Mar 28, 2022 19 tweets 4 min read Read on X
Hey @IndiGo6E ,
Want to hear a story? And at the end of it I will tell you hole (technical vulnerability )in your system?

#dev #bug #bugbounty 😝😝 1/n
Soo I traveled from PAT - BLR from indigo 6E-185 yesterday. And my bag got exchanged with another passenger.

Honest mistake from both our end. As the bags exactly same with some minor differences. 2/n
I realised it only after I reached home when my wife pointed out that the bag seems to be a different from ours as we don’t use key based locks in our bags.
PS: We have too much faith in airline staff 😝😝
So right after reaching home I called your customer care. 3/n
After multiple calls and navigating through @IndiGo6E IVR and of course a lot of wait I was able to connect to one of your customer care agents and they tried to connect me with the co-passenger. But all in vain. 4/n
So long story short I couldn’t get any resolution on the issue. And neither your customer care team was not ready to provide me the contact details of the person citing privacy and data protection . @Ankurkrtweets take note of this, it gets interesting😝
5/n
After the call did not work, the agent assured me that they will call me back when they are able to reach the other person. (I am still waiting for that call ) 👇🏻 6/n
So I slept the night without any resolution to the issue. Thinking I may get a call in morning.

And after I did not get any calls from @IndiGo6E I decided to take the matter in my own hands 7/n
So, today morning I started digging into the indigo website trying the co passenger’s PNR which was written on the bag tag in hope to get the address or number by trying different methods like check-in, edit booking, update contact, But no luck whatsoever.
8/n
So now, after all the failed attempts, my dev instinct kicked in and I pressed the F12 button on my computer keyboard and opened the developer console on the @IndiGo6E website and started the whole checkin flow with network log record on.
9/n
And there in one of the network responses was the phone number and email I’d of my co-passenger.

Ah this was my low-key hacker moment 😇😇 and the ray of hope.

I made note of the details and decided to call the person and try to get the bags swapped.

#dev #dataleak #bug
And thankfully I was able to reach my co passenger with the phone number I got from the logs and luckily we lived in a close proximity of 6-7 KMs. So we decided to meet at a Center point and got our bags swapped.

Dear @IndiGo6E , take note of my next tweet and try to improve.
Dear,
@IndiGo6E take note

1. Fix your IVR and make it more user friendly
2. Make your customer service more proactive than reactive
3. Your website leaks sensitive data get it fixed.
Fun Fact:

When I asked my co passenger if he had got a call from indigo , he denied it saying he did not get any calls. While the agent claimed to me that They called three times.

@IndiGo6E @Ankurkrtweets @scottishladki
For those asking what was the co-passenger doing,

He did not realise that the bags were exchanged until I called him and explained the whole scenario.

He was also surprised on how did I get his number, had to explain that to him too.

But at the end we both were happy.
I have been realised that in some cases the phone number and email I’d is visible on the screen it self.

That wasn’t the case with my co passenger’s , I had to look into the network log.

In those cases it’s even easier for ppl with malicious intent to get the details.
Also.. in the network response, they are even sending details like:
- Address that you enter while doing a web checkin i.e. your home address or your hotel/airbnb address

- You check in baggage details with id and weight
And some more crucial details.
My only suggestion to fellow passengers is to please do not share your boarding pass photos or your PNR details on social media or public domain.

And I hope airlines take all these things in account and do something about it i.e. encrypt the data being sent over the network.
If you want hear the whole story, tune in to the below link to listen to my latest podcast interview with Bryan Seely ( @bryanthemapsguy ) at @athackcon

athack.com/media-centre
In another news by @MothershipSG 😁😁

mothership.sg/2022/05/travel…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Nandan kumar

Nandan kumar Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(