It took nearly two years for India’s largest ecommerce website, Indian Railway Catering and Tourism Corporation ( IRCTC ), to fix a security vulnerability that could have given hackers unfettered access to the personal information of passengers.IRCTC handles the catering, tourism and online ticketing operations of Indian Railways , involving about 600,000 ticket bookings daily. ET could not independently verify if any passenger data was stolen in the nearly two years that the bug existed. The vulnerability was found only in August, by security researcher Avinash Jain, in IRCTC’s website and mobile app link that connects to a third-party insurance company for free travel insurance.The bug would have given attackers access to passenger details such as name, age, gender and insurance nominees without their knowledge or consent. “Within 10 minutes (after finding the bug) we were able to read almost 1,000 passenger and nominee information,” said Jain, who subsequently wrote to IRCTC alerting them about the problem.He estimates that the vulnerability left at least 200,000 passengers and their nominee details exposed to the attacker. The bug, reported to IRCTC on August 14, was acknowledged and fixed on August 29.Interestingly, the Indian Railways decided to stop free mandatory travel insurance from September 1, allowing users to instead opt-in or opt-out of travel insurance. IRCTC did not reply to questions on the matter.In December 2016, IRCTC introduced free travel insurance for everyone who booked tickets through its website or mobile app. This entailed IRCTC sharing passenger details of all travellers with thirdparty insurers to take the insurance cover.After the booking of a ticket, the nominee details were to be filled at the respective insurance company website, generating an encrypted transaction ID for the passenger. “To get the personal details of a traveller, we needed a valid combination of the transaction ID and passenger name record (PNR) number,” Jain said. “We were able to fetch details of any passenger by decoding the encrypted data (transaction ID/PNR) through brute force.”The 10-digit PNR number is a record of a person in the database of a computer reservation system, which was also obtainable through the brute force technique.“There are three companies offering rail travel insurance, and we found vulnerabilities in the linkage to only Shriram General Insurance,” said Gurunatha Reddy Gopireddy, co-researcher, in the disclosure. Links to the other two insurance companies, ICICI Lombard General Insurance and Royal Sundaram General Insurance, did not carry the same bug.As per IRCTC’s annual report for 2016-17, e-ticketing accounted for 62% of reserved railway tickets in India, with more than 573,000 tickets sold daily through the IRCTC website. “Responsible disclosure of flaws is not rewarded by the government,” said Jain, who has reported critical security vulnerabilities and been rewarded by NASA, Google, and Paytm, among others.The Indian Computer Emergency Response Team (CERT-In), the agency that handles cybersecurity threats, had 53,081 reported incidents in the country in 2017. “Less than 1% of the reporting to CERTIn comes from security researchers, whereas Indian researchers received over $1.8 million in bounties (rewards) in 2017. Incentives matters for active disclosure,” said Jain.An IRCTC spokesperson denies that there was any vulnerability on its website. "There is no bug (on the website) so there is no question of fixing it," the spokesperson said.