Railyatri Security Flaw Could Have Exposed Debit Cards, UPI Data of 7 Lakh Passengers
- RailYatri security flaw exposed user names, payment information
- It was first spotted by Safety Detectives, a cyber-security firm
- RailYatri has closed the unprotected server in question
RailYatri was reportedly left exposed due to inadequate security measures, that put the payment information and other personal data of lakhs of users at risk. As per the report, the data was saved on an unsecured server, and the ticket-booking platform potentially exposed personal information of over 7 lakh passengers. This includes full names, phone numbers, addresses, email IDs, ticket booking details, and partial credit or debit card numbers. The vulnerability that was first spotted by a team of cyber-security researchers on August 10.
As reported by The Next Web, the exposed Elasticsearch server was spotted by a team of researchers at cyber-security firm Safety Detectives on August 10. The security firm discovered that the affected server was left exposed without any encryption or password protection for several days. Safety Detectives said in its blog that anyone with the server’s IP address could have gained access to the full database.
The blog pointed out that the data, amounting to nearly 43GB, mostly featured users based in India. The firm estimated that over seven lakh individuals were likely affected by the vulnerability.
Gadgets 360 has reached out to RailYatri for a statement. This report will be updated when we hear back.
Update: A company spokesperson denied the claims and said that it does not store “financial and other sensitive data,” apart from some partial details. The spokesperson also stated that RailYatri only stores a day’s worth of data, which would not amount to this scale of information.
At the time of writing, RailYatri didn’t respond to The Next Web or Security Detectives, but closed the server after the security firm raised the matter with the government wing, Indian Computer Emergency Response Team (CERT-In).
On August 12, a Meow bot attack lead to the deletion of nearly the entire server data, according to Safety Detectives’ blog post. The Meow bot is a new type of cyber-attack that deletes unsecured databases that run Elasticsearch, Redis, or MongoDB servers.
The database in question comprised over 37 million records, including log files. The type of information exposed contained full names, age, gender, physical/ email addresses, contact numbers, payment logs, UPI IDs, train and bus booking details, and travel itinerary information. It also carried partial records of credit and debit card information as well as the users’ GPS location information.