This guy really had an option to travel around the world for free. But this is what he did instead. From Air India, Spice Jet to Clear Trip this engineering student explains why he hacked these websites and what he exactly learnt from them.
A 20 Years Old Engineering student from India, is not the only way Kanishk Sajnani will be known from now on. This young gentleman has actually been successful to do something that we all cannot not even think off. Hacking is a good practice or not, it’s actually left up to us to decide. But this guy has no qualms when someone actually calls him a hacker. It is during some of his exercise he came across some bugs on the different portal websites, there by identifying the vulnerability in their hacking system. And in a month time he did it all.
He had his research began through the website of Air India, and soon he discovered that he could travel across the ocean for free. Instead he brought them a carrier’s notice by emailing them and was then challenged by them. He then immediately booked a ticket for San Francisco for Re 1, later for which he was offered an internship by them and he declined. In his own words he did it in a month and said, I never shared about any findings with the ones I know. I did everything on my own because they have their applications being updated and the bugs have been removed.
In a very detailed first person account, he revealed how he was able to manage to book a flight to USA, then booked another flight with Rupees 4, and then gets a refund of Rupees 2000. He also books a spa service and gets an refund of 1999 with a tale of his biryanis too.
Image of his first email:
He then receives an unexpected phone call immediately from the manager on the 12th Nov 2015, and asked him to prove if any such of kind of vulnerability actually existed.
The manager to this shocked and asked him about the rectification measures for it, for which he then sent an detail email via POC(Proof of concept).
Just like what he did for Air India, He had found a similar kind of vulnerability in the spice Jet Mobile Application.
The above tickets were booked on the 28th October, where the travel date was exactly a month later. The guy was then hoping that the transaction will be flagged and someone from the head office will be contacting him immediately. And to his surprise this again did not happen. He then like Air India decided to immediately drop the organization an email, but could not get the email addresses of the higher authorities. All that he could manage to find here was the email id of the customer care. And with no choice left he sent them an email immediately.
He also managed to find the email Id of Mr. Pradeep Shah who is the GM of spice jet and sent him the same email immediately. And then the follow-up that was done was something that was really not expected.
They sent him back his email and was an email that was signed by the Nodal officer of their organization. The officer did not understand the mail that was actually written by him or did not like their security system that was compromised by their organization. The ticket that was booked was valid till the 21st of November until when I actually decided to cancel it.
The cancellation email did not have any refund amount to which he called their helpline immediately. The representatives then told him that he is applicable for the cancellation email around 2000, and he could choose to credit that amount in the debit card or use it for his next trip when required.
He says following are the things that he had learnt from the experiences:
- Indian companies like always don’t pay attention to the security of their products.
- None of their application or websites are secured. Chances are someone might already been hacking their sites
- Ethical hacking is something that is rarely appreciated.
What has to be changed?
- Each and everything related to the cyber-crime has to be changed in our country.
- Development and maintenance is something that is really very important. The company has to make sure that their websites, product is secured from all the hacking techniques.
- Every organization should actually opt for an Bug Bounty Programme or at least have a responsibility of the disclosure policy.
- Appreciate and acknowledge those who actually find the loopholes in your system.
Kudos to Kanishk Sajnani and the other ethical hackers like them who put all the efforts to push the technology gap between what’s safe and what’s not. Organizations actually have to be thankful to their brains for finding the loopholes in your system.