Hackers are often equated with everything unlawful and unacceptable, however, this ethical hacker has raised eyebrows. In a post called How I could have travelled the world for free, Kanishk Sajnani revealed how he hacked into multiple portals like Air India, SpiceJet and Cleartrip. Instead of using the information in their algorithms to his benefit, Kanishk decided to point these loopholes to the companies. He claims to have hacked through all these websites within a month’s time. In the age of WannaCry Ransomware and the Zomato account-hacks, Kanishk Sajnani may as well be our knight in shining armour, but unfortunately, no one has taken heed of his warnings.
He began his post with a disclaimer:
Hey there! Before we jump into the details, just to clarify a few things:
- I Hack Ethically. No personal gains. Although, I believe hackers should be positively awarded for their contributions.
- The reason why I’m writing this article today is to inform more people about the possible security lapses & encourage Indian Firms to opt for Bug bounty programmes to counter the same.
In a very detailed description, Kanishk wrote about how he managed to book tickets to the United States for just Re 1 through an Air India portal. Instead of actually availing the opportunity to cheat the company blind with his newfound hack he chose to alert them about the bug. When he informed the authorities he received a phone call from a manager from Air India who asked him to prove his claims. The details were proven to be legit and the manager asked him about the rectification measures, for which Kanishk was asked to send in a POC- Proof of Concept via email. Kanishk was then offered an internship but chose against it.
In the case of SpiceJet, Kanishk managed to book a flight for Rs. 4 from Ahmedabad to Goa which was worth Rs. 4000.
By now Kanishk was expecting to get caught like he mentions in his post. But when nothing happened, this ethical hacker decided to go on with his trail of good deeds and inform the company.
“I decided to drop a mail to some senior Official. Shockingly, I wasn’t even able to find out the email addresses of their CEO or CTO or CMO. All I could manage to find were these ( custrelations-nodalofficer & firstname.lastname@example.org) With no choice left, I sent a similar email ( like one to Air India) to SpiceJet too. Their reply baffled me.”
Without any action, SpiceJet managed to deal with the whole thing quite casually. While the ticket was still valid but Kanishk cancelled it himself. The cancellation mail didn’t mention any refund amount so he pursued it with the helpline. The helpline informed him that he was eligible for a refund of Rs. 2000 which can be credited to his account or could be used on his next trip. He concluded that the financial systems’ back-end couldn’t detect irregularities in payment and had thus decided to bless him with this refundable amount.
Then came the curious case of Cleartrip, where he pointed out the vulnerabilities in their system he was asked to solve the problem over a phone-call. Kanishk was adamant, such matters needed a clear email trail and was later given a refund of Rs 1199. Like the good cop he was, he duly informed them about this too but didn’t hear from them again. But the next thing he knows his MobiKwik wallet was taken down from their Application and never reinstated.
Here are the key takeaways from his experience, maybe you can also learn a thing or two about internet security:
What I’ve learnt from my Experiences?
- Indian Companies don’t pay the attention required for security of their Products.
- No Application/Website is entirely secure. Chances are, maybe someone is already exploiting the bugs right under their nose.
- The only way they understand the Importance of Bug Bounty Programmes is through Public Humiliation. Damage control is obligatory once you get hacked. Best Example – Ola Cabs
- Ethical Hacking is rarely appreciated.
- The process of Resolution usually takes a lot of time here. I remember submitting a vulnerability to Mobikwik through their Official Programme. I was just able to Brute Force the OTP during Account Creation. They took like five weeks to get it over with & rewarded me with a sum of 2k ₹.
What needs to be changed?
Everything. From Cyber laws to the way security is dealt in our Country.
- Development & Maintenance isn’t everything. The company should be secure from any kind of hacking attempts. Leak of private customer details would mean a massive lawsuit coming your way.
- Every Big startup/company should opt for a Bug Bounty Programme Or at least have a Responsible Disclosure Policy. Platforms such as Hackerone Or Bugcrowd can be used too.
- Appreciate & Acknowledge those who find loopholes in your system.
- The Cycle of Bug Identification- Resolution- Reward should be as fast as possible.
- Companies that don’t have their own security Engineers can hire other firms to test their API’s.
For more interesting content, visit YouTube.com/InUthdotcom