A Bengaluru man hacked IndiGo airline’s website after the airline didn’t help him much to retrieve his lost luggage.
Nandan Kumar, whose Twitter bio describes him as a software engineer, was flying from the Indian city Patna to Bangalore on an IndiGo flight when his luggage was mistakenly exchanged with another passenger.
Kumar shared his story of retrieving his luggage and simultaneously pointed out the flaws in the security of the IndiGo website.
Hey @IndiGo6E ,
Want to hear a story? And at the end of it I will tell you hole (technical vulnerability )in your system? #dev #bug #bugbounty 😝😝 1/n— Nandan kumar (@_sirius93_) March 28, 2022
“So, I travelled from PAT – BLR from indigo 6E-185 yesterday. And my bag got exchanged with another passenger. Honest mistake from both our ends. As the bags were exactly the same with some minor differences,” Kumar wrote in the tweet.
Kumar said he found out about the missing bag when he reached Bengaluru. “I realised it only after I reached home when my wife pointed out that the bag seems to be different from ours as we don’t use key-based locks in our bags,” Kumar said.
After multiple calls and navigating through @IndiGo6E IVR and of course a lot of wait I was able to connect to one of your customer care agents and they tried to connect me with the co-passenger. But all in vain. 4/n
— Nandan kumar (@_sirius93_) March 28, 2022
He then went on to specify that he called the customer care number and followed all protocols to locate his lost luggage.
“After the call did not work, the agent assured me that they will call me back when they are able to reach the other person,” Kumar added.
“I started digging into the Indigo website trying the co passenger’s PNR which was written on the bag tag in hopes of getting his address or number by trying different methods like check-in, edit booking, update contact,” he explained.
“I pressed the F12 button on my computer keyboard and opened the developer console on the IndiGo website and started the whole checkin flow with network log record on,” he wrote. There, Mr Kumar managed to find the email address and phone number of the co-passenger who had unwittingly walked out with his luggage.
Not just Kumar retrieve the contact details of his co-passenger he also shared a piece of advice after finding loopholes in the airline’s website.
Kumar suggested IndiGo, “Fix your IVR and make it more user friendly; Make your customer service more proactive than reactive, and Your website leaks sensitive data get it fixed”.
Dear,@IndiGo6E take note
1. Fix your IVR and make it more user friendly
2. Make your customer service more proactive than reactive
3. Your website leaks sensitive data get it fixed.— Nandan kumar (@_sirius93_) March 28, 2022
IndiGo responded with a note claiming that they were sorry for the inconvenience caused and assured us that the website had no security lapses.
