You might have listened about a lot of cases where hackers intruded into a public or company network and caused a major loss to the host. Just a few days back there was a major Ransomware attack called “Wannacry” which was responsible for heavy financial losses worldwide. We are not going to talk about this kind of hackers here but an ethical hacker who helped several Indian Airline companies in finding their security loopholes and thus saving them from a loss of millions. But what did he get in return? Well, let’s not talk about it as companies here in our nation don’t really believe in giving rewards.
Kanishk Sajnani, a 20 approx ethical hacker tells that he hacked into many portals including Air India, Spice Jet, Clear Trip, discovered countless loopholes and ethically reported about it to respective websites only to get nothing in return.
Read on to know every detail about the same he shared on Medium.
Until now, I’ve hacked into a Dozen of Indian companies. Mostly all within a Month last Year. It’s a big deal, right? A 20 something guy with no professional expertise, Just a passion to hunt gold, can be such a big pain in the ass to the corporates xD Not trying to brag here. Just portraying the current security scenario in the country.
I wouldn’t say I stumbled upon their API’s accidentally while working on a weekend project or something. I deliberately tried to hack into each one of them. This is just something I love. Obviously, I never shared any of my findings with anyone else. I’m doing it now because their applications have been updated & thus bugs have been removed.
Talking about hacking the apps of Indian Airline companies, Sajnani revealed how he managed to book a flight to San Francisco for just Re 1, booked another flight for Rs 4 and got a refund of Rs 2000 and lots more. But instead of using it for his own benefits, he acted responsibly and wrote an e-mail to the CEO of Air India first.
After this e-mail, he got a call from the Finance Manager of Air India and this is what happened as reported by Kanishk himself-
Received an unexpected phone call from their Manager(Finance) on 12th Nov 15′. He asked me to prove if such a vulnerability existed & Oh boy! Did I?
Here are the proofs that he sent back
This was a legitimate PNR generated airline ticket. I could have travelled to the States for absolutely free. Odds are they would have never even found out I did.
The Manager further enquired about the rectification steps required. I sent him all the details along with POC( Proof of Concept ) videos attached in mail. He also told me that they had their own IT team. I was keen on doing an Internship back then. He kindly accepted my request( I never actually interned though) & also thanked me heartily for the contribution I had made.
Further he tells about the experience with Spice Jet which in his own words was most bizzare. He says-
Now, this was one of the most bizarre experiences I ever had.
Just like Air India, I had found a similar vulnerability in SpiceJet’s Mobile application too.
Earlier, he thought that the transaction will get flagged and someone from Head Office will contact him. When nothing happened, he tried to get in touch through the e-mail. To much of his shock, the email ids of CEO,CTO and CMO were not available so he sent a mail on whatever e-mail id was available. And this was the reply-
* Facepalm * I had to find an alternative, obviously. I tried reaching out to Mr Pradeep Shah (GM, Reservations)
As requested, he sent them the e-mail.
They sent me our previous correspondence in a .eml type file attached *Double Facepalm * This time the mail was signed by their Nodal Officer. Either they didn’t understand the point I made Or they didn’t like to acknowledge the fact that their security was compromised.
The cancellation mail didn’t mention any Refund Amount. Out of curiosity, I called their Helpline. The representative on Phone told me that I was eligible for a refund of around 2k ₹ & I can either choose to credit that amount in my debit card Or use it for my next trip. Easy money, right? ?
I could have not only travelled for free but also made money hand over fist. The financial systems in the back-end were obviously not able to detect any payment irregularities. Despite everything that happened, I decided to stay mum & leave them on God’s good grace.
Next was his case with Clear Trip which in his own words happened like this-
With Cleartrip, I could have booked Flights, Hotels, International holidays, Trains, Restaurant dates, Massages, Cultural events, Sport Activities, Anything for Absolutely free.
A word of Advice: Never have such conversations over the phone. A written correspondence is must ( You’ll have proof in case something goes wrong) I made an excuse & asked him to continue over here Or on Facebook.
The day I made their POC videos, I had a couple of failed transactions too. One of them was automatically processed as ‘ Money Paid but failed’. A refund request was generated. My Mobikwik wallet was credited with 1199 Rupees.
So now I was getting Paid for a Massage too. Wow! Every Guy’s dream come true? But as usual( Boring :p) I decided to inform them that I had found Yet another bug.
Interestingly, that was the last time I ever heard from him. Mobikwik wallet was soon taken down from their Application & never put back up. I was under the impression that maybe they were updating the API’s. A month later, I finally emailed him back. Got nothing in return. Frustrated, I decided to write back to the co-founders.
But there was no acknowledgement to all the honest efforts of Kanishk
“What I’ve learnt from my Experiences?
1. Indian Companies don’t pay the attention required for security of their Products.
2. No Application/Website is entirely secure. Chances are, maybe someone is already exploiting the bugs right under their nose.
3. The only way they understand the Importance of Bug Bounty Programmes is through Public Humiliation. Damage control is obligatory once you get hacked. Best Example – Ola Cabs
4. Ethical Hacking is rarely appreciated.
5. The process of resolution usually takes a lot of time here. I remember submitting a vulnerability to Mobikwik through their Official Programme. I was just able to Brute Force the OTP during Account Creation. They took like five weeks to get it over with & rewarded me with a sum of 2k ₹.
What needs to be changed?
1. Everything. From Cyber laws to the way security is dealt in our Country.
2. Development & Maintenance isn’t everything. The company should be secure from any kind of hacking attempts. Leak of private customer details would mean a massive lawsuit coming your way.
Every Big startup/company should opt for a Bug Bounty Programme Or at least have a Responsible Disclosure Policy. Platforms such as Hackerone Or Bugcrowd can be used too.
3. Appreciate & Acknowledge those who find loopholes in your system.
4. The Cycle of Bug Identification- Resolution- Reward should be as fast as possible.
5. Companies that don’t have their own security Engineers can hire other firms to test their API’s.”
Kanishk also shared his previous story and the case with Faaso’s
I was inspired to start learning about Internet security around June 2015. A story about how someone hacked into something & got rewarded for the same would Pop-up regularly. I thought I could use these additional skills to my advantage too( Being a computer Engineer in the making)
I started out on my own ( bit by bit ) learning things from the Internet. No books to refer Or teachers to learn such stuff from. I would download the required tools/software & start experimenting. Initially, it was bit scary. I was afraid that this Hit & Trial method I used doesn’t cause me any legal trouble.
Eventually, I was able to understand everything. I found my first ever vulnerability in Faaso’s application. It was a Jackpot. I was able to lookup the details(Debit card, Addresses, Order History) of any customer just through their email address or Mobile number. Furthermore, I was even able to Order anything for free. I literally owned the application thereafter.
Full disclosure? I did order a Free Biryani couple of times ?What surprised me was the fact that no-one from the store manager to delivery boy realised that they were being duped. The first time, I paid in cash after explaining them everything. The second time was a test & they failed again. I could’ve eaten more like a 1000 times.
Soon after, I found out the email address of their CEO Mr. Jaydeep Barman & mailed him. I even exchanged a few emails & calls with his brother(also CTO) As it usually happens, the vulnerabilities remained unpatched for almost six months until they hired a security firm ‘ Falliable’
I now find a unique interest in doing what I do. Some people may find this a bit boring, but for me, it’s like treasure hunt — Exploring & finding out stuff that’s never seen before. It’s time for me to further Polish my hacking skills. Looking forward to Join some professional courses .
Air India, SpiceJet, Cleartrip, Mobikwik & Faasos were the only companies I ever corresponded with. Never informed the rest of them about any Loopholes. For the same reason, I never mentioned any technical details in this article. Compromised list may still include some E-commerce websites, Home services, Travel agencies, Educational Institutions, Government applications, etc.
Don’t forget to share your thoughts about the same in comment section.