An IndiGo passenger has gone viral for exploiting a “technical vulnerability” in the airline’s system to find his lost luggage.
Nandan Kumar, whose Twitter bio describes him as a software engineer, shared how he used his technical knowledge to find his belongings. Kumar said he managed to find his co-traveller’s details on IndiGo’s website and got his luggage back.
After his Twitter thread went viral, the airline replied that it was “fully committed” to data privacy and that Kumar had not hacked their website.
On Sunday, Kumar traveled from Patna to Bengaluru in an Indigo flight. At the Bengaluru airport, however, his bag was exchanged with that of another passenger. He wrote in his viral Twitter thread, “Unknown mistake on our part. The bags were exactly the same, slightly different.”
Hey @IndiGo6E ,
Want to hear a story? And at the end of it I will tell you hole (technical vulnerability )in your system? #dev #bug #bugbounty 😝😝 1/n— Nandan kumar (@_sirius93_) March 28, 2022
It was only after Nandan Kumar reached home that he realized that his belongings had gone to someone else. He managed to get in touch with the IndiGo customer care agent after several calls and a long wait.
He wrote, “They tried to connect me with a co-traveller. But all in vain. So long story I didn’t find any solution on this issue and neither did your customer service team give me the contact details of the person citing privacy and data security.” was ready to provide.”
So long story short I couldn’t get any resolution on the issue. And neither your customer care team was not ready to provide me the contact details of the person citing privacy and data protection . @Ankurkrtweets take note of this, it gets interesting😝
5/n— Nandan kumar (@_sirius93_) March 28, 2022
He further says that the IndiGo customer care agent assured him that he would receive a call back – which he did not. After spending the night without any resolution, he decided to settle the matter himself.
He said, “I started checking the co-traveller’s PNR in the IndiGo website which was written on the bag tag hoping to get his address or number by trying various methods like check-in, edit booking, update contact ”
After the call did not work, the agent assured me that they will call me back when they are able to reach the other person. (I am still waiting for that call ) 👇🏻 6/n pic.twitter.com/uy7tkqWUO7
— Nandan kumar (@_sirius93_) March 28, 2022
With no success in either of these methods, the software engineer says that his “developer instinct” came to his mind.
He wrote, “I pressed the F12 button on my computer keyboard and opened the developer console on the IndiGo website and started the entire checkin flow with the network log record.” There, Kumar managed to find the email address and phone number of the co-traveller, who had unknowingly taken away his luggage.
So, today morning I started digging into the indigo website trying the co passenger’s PNR which was written on the bag tag in hope to get the address or number by trying different methods like check-in, edit booking, update contact, But no luck whatsoever.
8/n— Nandan kumar (@_sirius93_) March 28, 2022
Finally, he was able to reach his co-traveller, who lived not far from Kumar’s Bengaluru home. The two decided to meet midway and changed their bags.
And there in one of the network responses was the phone number and email I’d of my co-passenger.
Ah this was my low-key hacker moment 😇😇 and the ray of hope.
I made note of the details and decided to call the person and try to get the bags swapped. #dev #dataleak #bug pic.twitter.com/9l4pmNDk6V
— Nandan kumar (@_sirius93_) March 28, 2022
Kumar concludes his thread with a few suggestions for IndiGo, which includes more proactive customer service. He also wrote, “Your website leaks sensitive data.”
The airline responded to his tweet, saying that the data privacy policy prevented them from sharing personal details of a passenger, but “the IndiGo website was not compromised at any point.”
Hey @IndiGo6E ,
Want to hear a story? And at the end of it I will tell you hole (technical vulnerability )in your system? #dev #bug #bugbounty 😝😝 1/n— Nandan kumar (@_sirius93_) March 28, 2022