How I could have travelled the World for Free

Hacking into Air India, SpiceJet & Cleartrip.

Hey there! Before we jump into the details, Just to clarify a few things:

I Hack Ethically. No personal gains. Although, I believe hackers should be positively awarded for their contributions. The reason why I’m writing this article today is to inform more people about the possible security lapses & encourage Indian Firms to opt for Bug bounty programmes to counter the same.

Until now, I’ve hacked into a Dozen of Indian companies. Mostly all within a Month, a little while ago. It’s a big deal, right? A 20 something guy with no professional expertise, Just a passion to hunt gold, can be such a big pain in the ass to the corporates xD Not trying to brag here. Just portraying the current security scenario in the country.

I wouldn’t say I stumbled upon their API’s accidentally while working on a weekend project or something. I deliberately tried to hack into each one of them. This is just something I love. Obviously, I never shared any of my findings with anyone else. I’m doing it now because their applications have been updated & thus bugs have been removed.

Air India

I reached out to the CEO of Air India through e-mail on 4th Nov 15'.

Received an unexpected phone call from their Manager(Finance) on 12th Nov 15'. He asked me to prove if such a vulnerability existed & Oh boy! Did I?

This was a legitimate PNR generated airline ticket. I could have travelled to the States for absolutely free. Odds are they would have never even found out I did.

The Manager further enquired about the rectification steps required. I sent him all the details along with POC( Proof of Concept ) videos attached in mail. He also told me that they had their own IT team. I was keen on doing an Internship back then. He kindly accepted my request( I never actually interned though) & also thanked me heartily for the contribution I had made.

SpiceJet

Now, this was one of the most bizarre experiences I ever had.

Just like Air India, I had found a similar vulnerability in SpiceJet’s Mobile application too.

Ticket price- 4k INR

Paid price- 4 INR

The above ticket was booked on 28th October. Travel date was exactly a month after. I was hoping that the transaction would eventually get flagged & somebody from the Head Office would contact me. To my surprise, that never happened xD

I decided to drop a mail to some senior Official. Shockingly, I wasn’t even able to find out the email addresses of their CEO or CTO or CMO. All I could manage to find were these ( custrelations-nodalofficer & apppelateauthority@spicejet.com) With no other choice left, I sent a similar email ( like one to Air India) to SpiceJet too. Their reply baffled me.

* Facepalm * I had to find an alternative, obviously. I tried reaching out to Mr Pradeep Shah (GM, Reservations)

As requested, I forwarded him the same e-mail I had sent to SpiceJet earlier. What followed was something I never expected.

They sent me our previous correspondence in a .eml type file attached *Double Facepalm * This time the mail was signed by their Nodal Officer. Either they didn’t understand the point I made Or they didn’t like to acknowledge the fact that their security was compromised.

The ticket was absolutely valid until I decided to cancel it myself on 21st November.

The cancellation mail didn’t mention any Refund Amount. Out of curiosity, I called their Helpline. The representative on Phone told me that I was eligible for a refund of around 2k ₹ & I can either choose to credit that amount in my debit card Or use it for my next trip. Easy money, right? 🤑

I could have not only travelled for free but also made money hand over fist. The financial systems in the back-end were obviously not able to detect any payment irregularities. Despite everything that happened, I decided to stay mum & leave them on God’s good grace.

Cleartrip

With Cleartrip, I could have booked Flights, Hotels, International holidays, Trains, Restaurant dates, Massages, Cultural events, Sport Activities, Anything for Absolutely free.

E-Mail to the Co-Founders

Reply from their End

A word of Advice: Never have such conversations over the phone. A written correspondence is must ( You’ll have proof in case something goes wrong) I made an excuse & asked him to continue over here Or on Facebook.

The Trip mentioned in Above Mail

The day I made their POC videos, I had a couple of failed transactions too. One of them was automatically processed as ‘ Money Paid but failed’. A refund request was generated. My Mobikwik wallet was credited with 1199 Rupees.

So now I was getting Paid for a Massage too. Wow! Every Guy’s dream come true😆 But as usual( Boring :p) I decided to inform them that I had found Yet another bug.

Interestingly, that was the last time I ever heard from him. Mobikwik wallet was soon taken down from their Application & never put back up. I was under the impression that maybe they were updating the API’s. A month later, I finally emailed him back. Got nothing in return. Frustrated, I decided to write back to the co-founders.

Now, the least they could’ve offered me was a proper acknowledgement. Could have shown a little gratitude. I was not the one to ask for a reward. What a shame -_-

What I’ve learnt from my Experiences?

Indian Companies don’t pay the attention required for security of their Products. No Application/Website is entirely secure. Chances are, maybe someone is already exploiting the bugs right under their nose. The only way they understand the Importance of Bug Bounty Programmes is through Public Humiliation. Damage control is obligatory once you get hacked. Best Example - Ola Cabs Ethical Hacking is rarely appreciated. The process of Resolution usually takes a lot of time here. I remember submitting a vulnerability to Mobikwik through their Official Programme. I was just able to Brute Force the OTP during Account Creation. They took like five weeks to get it over with & rewarded me with a sum of 2k ₹.

What needs to be changed?

Everything. From Cyber laws to the way security is dealt in our Country.

Development & Maintenance isn’t everything. The company should be secure from any kind of hacking attempts. Leak of private customer details would mean a massive lawsuit coming your way. Every Big startup/company should opt for a Bug Bounty Programme Or at least have a Responsible Disclosure Policy. Platforms such as Hackerone Or Bugcrowd can be used too. Appreciate & Acknowledge those who find loopholes in your system. The Cycle of Bug Identification- Resolution- Reward should be as fast as possible. Companies that don’t have their own security Engineers can hire other firms to test their API’s.

My Story

I was inspired to start learning about Internet security around June 2015. A story about how someone hacked into something & got rewarded for the same would Pop-up regularly. I thought I could use these additional skills to my advantage too( Being a computer Engineer in the making)

I started out on my own ( bit by bit ) learning things from the Internet. No books to refer Or teachers to learn such stuff from. I would download the required tools/software & start experimenting. Initially, it was bit scary. I was afraid that this Hit & Trial method I used doesn’t cause me any legal trouble.

Eventually, I was able to understand everything. I found my first ever vulnerability in Faaso’s application. It was a Jackpot. I was able to lookup the details(Debit card, Addresses, Order History) of any customer just through their email address or Mobile number. Furthermore, I was even able to Order anything for free. I literally owned the application thereafter.

Full disclosure? I did order a Free Biryani couple of times 😆What surprised me was the fact that no-one from the store manager to delivery boy realised that they were being duped. The first time, I paid in cash after explaining them everything. The second time was a test & they failed again. I could’ve eaten more like a 1000 times.

Soon after, I found out the email address of their CEO Mr. Jaydeep Barman & mailed him. I even exchanged a few emails & calls with his brother(also CTO) As it usually happens, the vulnerabilities remained unpatched for almost six months until they hired a security firm ‘ Falliable’

I now find a unique interest in doing what I do. Some people may find this a bit boring, but for me, it’s like treasure hunt — Exploring & finding out stuff that’s never seen before. It’s time for me to further Polish my hacking skills. Looking forward to Join some professional courses .

A ir India, SpiceJet, Cleartrip, Mobikwik & Faasos were the only companies I ever corresponded with. Never informed the rest of them about any Loopholes. For the same reason, I never mentioned any technical details in this article. Compromised list may still include some E-commerce websites, Home services, Travel agencies, Educational Institutions, Government applications, etc.

Here’s hoping that things would soon change for Good 🍻 This was fun. Signing OFF ~ Kanishk Sajnani

P.S. You can reach me at hello@kanishksajnani.com (updated) for any further Information.