A software engineer has claimed to have hacked IndiGo’s website to retrieve his luggage, which he had accidentally switched with a co-passenger. The airline denied his claim.
In a Twitter thread, the man, Nandan Kumar, said he took matters into his own hands because he did not receive help from the airline.
“Hey IndiGo6E want to hear a story?” the man wrote in his first tweet. “And at the end of it I will tell you a technical vulnerability in your system.”
Hey @IndiGo6E ,
Want to hear a story? And at the end of it I will tell you hole (technical vulnerability )in your system? #dev #bug #bugbounty 1/n— Nandan kumar (@_sirius93_) March 28, 2022
Kumar added that he had taken a flight from Patna to Bengaluru on March 27 and ended up switching his luggage with another person. “Honest mistake from both our end as the bags (were) exactly same with some minor differences.”
The man said it was only after reaching home that he realised he was not carrying his own bag. Then, he reached out to the airline.
“After multiple calls and navigating through IndiGo IVR (interactive voice response), and of course a lot of wait, I was able to connect to one of your customer care agents and they tried to connect me with the co-passenger,” he added. “But all in vain.”
Kumar said the matter was not resolved and for obvious privacy reasons, IndiGo’s customer care refused to provide him his co-passenger’s contact details.
The man said the customer care agent assured him that they would get back to him after contacting his co-passenger.
Kumar claimed the airline did not follow up
“So, I started digging into the IndiGo website trying the co passenger’s PNR which was written on the bag tag in hope to get the address or number by trying different methods like check-in, edit booking, update contact, but no luck whatsoever,” he said.
Then, he said his “developer instinct” kicked in.
“I pressed the F12 button on my computer keyboard and opened the developer console on the IndiGo website and started the whole check-in flow with network log record on,” Kumar added. “ And there in one of the network responses was the phone number and email ID of my co-passenger. Ah this was my low-key hacker moment and the ray of hope.”
Kumar said that when he called his co-passenger, he found out he was not too far away. “We decided to meet at a center point and got our bags swapped,” he added.
The man had some suggestions for IndiGo. “Fix your IVR and make it more user friendly, make your customer service more proactive than reactive. Your website leaks sensitive data, get it fixed.”
As the man’s account got attention on Twitter, IndiGo issued a statement in response.
“Due to data privacy policy, we're not allowed to share any of the passenger 's information therefore, our customer care team tried to arrange a conference call in order to facilitate the exchange of baggage,” it said. “Our IT processes are completely robust and, at no point was the lndiGo website compromised,” the airline said.
