Bengaluru techie 'hacks' IndiGo website to find lost luggage, airline says ‘at no point…’

| Published: Thursday, March 31, 2022, 11:51 [IST]

New Delhi, Mar 31: Airports can be very harrowing even for seasoned travellers. There are so many things that one needs to look out for-tickets, identity cards, boarding passes, cell-phone, and of course luggage. And that sinking feeling you get in your stomach when you don't see your luggage at your destination is the worst nightmare at airports.

Bengaluru techie hacks IndiGo website to find lost luggage, airline says ‘at no point…’

An IndiGo passenger has gone viral after he claimed to find a "vulnerability" in the airline's website using which he was able to find the phone number of a co-passenger with whom his bag was mistakenly swapped.

Hey @IndiGo6E ,
Want to hear a story? And at the end of it I will tell you hole (technical vulnerability )in your system? #dev #bug #bugbounty 😝😝 1/n
— Nandan kumar (@_sirius93_) March 28, 2022

Nandan Kumar, whose Twitter bio describes him as a software engineer, who was travelling from Patna to Bangalore on an IndiGo flight, had his luggage mistakenly picked up by a co-passenger and the incident prompted Kumar to put his skills to best use to find his lost luggage by hacking into the airline's website.

Kumar took to Twitter and shared the story of how he retrieved his luggage. He also narrated the entire incident and told the IndiGo airlines about the loopholes in their website.

"Hey IndiGo. Want to hear a story? And at the end of it I will tell you hole (technical vulnerability )in your system?" is how Nadan starts the story.

Kumar wrote, "So, I travelled from PAT - BLR from indigo(sic) 6E-185 yesterday. And my bag got exchanged with another passenger. Honest mistake from both our ends. As the bags were exactly the same with some minor differences."

Kumar contacted IndiGo's customer service which tried to contact the other passenger "but all in vain."

After the call did not work, the agent assured me that they will call me back when they are able to reach the other person. (I am still waiting for that call ) 👇🏻 6/n pic.twitter.com/uy7tkqWUO7
— Nandan kumar (@_sirius93_) March 28, 2022

So, today morning I started digging into the indigo website trying the co passenger’s PNR which was written on the bag tag in hope to get the address or number by trying different methods like check-in, edit booking, update contact, But no luck whatsoever.
8/n
— Nandan kumar (@_sirius93_) March 28, 2022

Kumar then decided to take the matter in his own hands and this is where the story gets interesting.

And there in one of the network responses was the phone number and email I’d of my co-passenger.

Ah this was my low-key hacker moment 😇😇 and the ray of hope.

I made note of the details and decided to call the person and try to get the bags swapped. #dev #dataleak #bug pic.twitter.com/9l4pmNDk6V
— Nandan kumar (@_sirius93_) March 28, 2022

"I pressed the F12 button on my computer keyboard and opened the developer console on the IndiGo website and started the whole checkin flow with network log record on," he wrote.

"And there in one of the network responses was the phone number and email I'd of my co-passenger. Ah this was my low-key hacker moment and the ray of hope. I made note of the details and decided to call the person and try to get the bags swapped," the software developer added.

Kumar's effort yielded results and both the passengers swapped bags.

Kumar highlighted two problems with IndiGo here: one, their poor customer care service; and two, the data leak.

IndiGo took notice of Nadan's story and responded with an apology for the inconvenience and assured that the website has no security lapses.

pic.twitter.com/GnnGKypGGJ
— IndiGo (@IndiGo6E) March 29, 2022

"Any passenger can retrieve their booking details using PNR, last name, contact number, or email address from the website. This is the norm practiced across all airline systems globally," the airline stated.