Bengaluru techie hacks IndiGo website to get his lost bag, raises a scare over cyber security

Nandan Kumar, a software engineer by profession, recently proudly said that he hacked into IndiGo’s official website because he lost his baggage. Yes, that’s the reason he gave. The story may sound funny, but it isn’t if you look deeper at it.

Kumar posted a Twitter thread explaining what really happened and how he managed to hack into IndiGo’s website, one of the most popular airlines in the country, in just a few hours.

It all started while he was travelling from Patna to Bengaluru earlier this week and his baggage got exchanged with another passenger’s luggage who had a similar-looking bag.

When Kumar realised that he brought the wrong bag home he contacted IndiGo’s customer care but the airline wouldn’t help him much. The customer care assured him to look into the matter and come up with a solution and call him back with an update in a few hours. But, Kumar, as he mentioned in the tweets, wasn’t very convinced and decided to take the matter into his hands. He decided to hack into the official website of IndiGo to find the co-passenger’s details like mobile number and address.

“Today morning I started digging into the IndiGo website trying the co passenger’s PNR which was written on the bag tag in hope to get the address or number by trying different methods like check-in, edit booking, update contact, But no luck whatsoever,” he wrote.

Kumar then dug deeper and managed to find the person’s contact details, who in no way as related to him. “After all the failed attempts, my dev (developer) instinct kicked in and I pressed the F12 button on my computer keyboard and opened the developer console on the @IndiGo6E website and started the whole check in flow with network log record on,” he said.

He then found one of the network responses where he found the passenger’s contact including phone number and email ID. “And there in one of the network responses was the phone number and email I’d of my co-passenger. Ah, this was my low-key hacker moment and the ray of hope. I made note of the details and decided to call the person and try to get the bags swapped,” he noted.

Huge cyber security risk

Though Kumar finally managed to get his bag and return the one he had to the co-passenger, there’s a question that needs to be asked: What is going on with the cyber security of IndiGo?

Firstly, this isn’t the first time that someone has lost their bag at the airport. Such situations happen and there are some processes to resolve them. Though the procedure is cumbersome, bypass it and hacking into the official website to find details of other passengers hardly seems a safe option.

It is also important to mention that Kumar was able to hack into the system because of certain bugs that allowed him to find the personal details of his co-passenger. So, that should be taken care of by the airline. With just PNR and name, Kumar managed to find the entire ‘Itinerary’ of that passenger on the website. It is probable that if he had details of other passengers travelling with him, he could have discovered their details like ticket price, flight timings, house address, mobile number, company name, email address, names of family and friends, and more.

This is scary! So much so that hackers can probably find out if you opted for a chicken sandwich or noodles during your in-flight lunch. On its part, IndiGo, though, has said that there is no glitch or leak of private details from its website.

In a statement posted on Twitter, the company said: “We at IndiGo, remain fully committed to consumer data privacy and industry benchmark cyber-security standards… our IT processes are completely robust and, at no point was the IndiGo website compromised. Any passenger can retrieve their booking details using PNR, last name, contact number, or email address from the website. This is the norm practiced across all airline systems globally”.