He hacked an airline’s website to locate his missing luggage

He hacked an airline's website to locate his missing luggage

Nandan Kumar’s story an engineer who hacked an airline website to retrieve his suitcasetranscended on social networks and went viral, as it placed the company between a rock and a hard place after denouncing its deficiency in the area of ​​customer service and cybersecurity.

It was on March 28 when the software engineer and Java programmer opened a thread on his Twitter to tell about his travel experience and troubleshooting with the IndiGo airline.

Hey @IndiGo6E wanna hear a story? And in the end, I will tell you a hole (technical vulnerability) in your system,” the engineer tweeted.

He recounted that he had traveled from Patna to Bangalore, India, on flight 6E-185, when the airline made a mistake sending your bag to another passenger and vice versa. He said that she could understand because both bags were the same, except for a few small differences. He assured that he had not paid much attention to the details of the luggage because he trusted the company a lot and believed that everything was in order.

It wasn’t until he got home that his wife told him that the suitcase they had brought looked different from his, in addition to the fact that they do not use straps to close it. At that point, he called the airline to report the problem.

However, the response from customer service was not what he expected, as they did not immediately help him to retrieve his luggage.

“After several calls and browsing through the @IndiGo6E IVR and of course a lot of waiting. I was able to connect with one of their customer service agents and they tried to connect me with the co-passenger. But all in vain.”

Although they did not give him a quick solution and refused to provide him with the contact details of who had taken his suitcase he waited, as the customer service members told him they would call him when they contacted the other passenger.

After a day of waiting, he did not receive any calls, so he decided to take matters into his own hands and began to investigate the IndiGo platform site, trying to find by himself the passenger who had his suitcase.

“Then, This morning I started digging on the Indigo website trying the PNR of the co-passenger which was written on the luggage tag hoping to get the address or number by trying different methods like check-in, edit reservation, update contact, but no luck.”

But that did not stop him, since after several failed attempts his developer instinct led him to press the F12 button on your computer and opened the IndiGo Developer Console on the website where the entire registration flow began.

“And there, in one of the responses from the network, was the phone number and email that I had for my co-passenger. This was my low-key hacker moment and my ray of hope.”

discovering the information he took down the contact details and decided to call the other person to exchange bags. He explained that fortunately the passenger answered him and was approximately 7 kilometers away so they could agree on a midpoint to see each other.

At the meeting place, he explained what had happened and how he found his contact. In addition, he assured that the other person told him that she had not received any calls from the airline and that he had not realized that the suitcase was not his.

Because it was very easy for him to find personal information on the website, he made some cybersecurity recommendations to the company and advised passengers not to share photos of their boarding pass or details of your reservation code on social networks or any other sensitive data.