India Today Conclave
India Today Conclave

An Ethical Hacker Reveals How He Booked a Flight From India to US in Just 1 Rupee!

Wait, there's more. He booked a flight to San Francisco for Re 1, booked another one for Rs. 4 and ended up getting a refund of Rs 2000.

20 December, 2018
An Ethical Hacker Reveals How He Booked a Flight From India to US in Just 1 Rupee!

Taking life *hacks* to a whole new level is this guy, Kanishk Sajnani, who's managed to turn everyone green with envy by booking cheap AF flights from several websites.

But, wait, this isn't just about him using bugs to his advantage, this 20 something genius has hacked into a lot of company websites and notified them about the countless bugs he discovered. Which was great. But, it's a bummer that most of the companies except Air India never rewarded him with money or recognition.

Sharing his experience on Medium, Kanishk mentioned anecdotes from his hacking history that involved hacking Air India, SpiceJet, Cleartrip and a few more Indian websites. As per him, he did all of that in ONE month!

jjgg

Sajnani revealed how he managed to book a flight to San Francisco for just Re 1, booked the next one for Rs 4 and ended up getting a refund of Rs 2000. He also booked a free spa and got a refund of Rs 1199, too.

Back in 2015, when he had found a bug in the Air India portal and booked himself a seat on a US-bound flight for just Re 1. Yep! He could've travelled the world for free but no, instead, he send them an email, informing them about the bug.

dd

dd

Wait, there's more. Here are a few more screenshots he posted about his experience with Spicejet,

ggg

He thought the transaction would get flagged or someone would get in touch with him, but that didn't happen. The hacker said, "I decided to drop a mail to some senior Official. Shockingly, I wasn't even able to find out the email addresses of their CEO or CTO or CMO. All I could manage to find were these ( custrelations-nodalofficer & apppelateauthority@spicejet.com) With no choice left, I sent a similar email ( like one to Air India) to SpiceJet too. Their reply baffled me."

ss

He then reached out to the General Manager, Mr Pradeep Shah (GM, Reservations), who asked him to forward the emails. Which he did, and this was the response he got:

 

  

mnmn

"They sent me our previous correspondence in a .eml type file attached *Double Facepalm * This time the mail was signed by their Nodal Officer. Either they didn't understand the point I made Or they didn't like to acknowledge the fact that their security was compromised" he added.

Next on his list was Cleartrip. In marcg 2016, this hacker could've "booked flights, hotels, international holidays, trains, restaurant dates, massages, cultural events, sport activities. Anything for absolutely free." He shared the following screenshots in order.

ed

Email to the Co-founders

He was asked if that could be discussed over a "quick call" but he refused to do that because:

"NEVER HAVE SUCH CONVERSATIONS OVER THE PHONE. A WRITTEN CORRESPONDENCE IS MUST ( YOU'LL HAVE PROOF IN CASE SOMETHING GOES WRONG) I MADE AN EXCUSE & ASKED HIM TO CONTINUE OVER HERE OR ON FACEBOOK."

 

jhj

He replied saying,

    

mkm

 

Followed by booking this:

hhj

Oh, and then he got failed transactions notifs.

vv

"ONE OF THEM WAS AUTOMATICALLY PROCESSED AS 'MONEY PAID BUT FAILED'. A REFUND REQUEST WAS GENERATED. MY MOBIKWIK WALLET WAS CREDITED WITH 1199 RUPEES."

He duly informed them about this activity too and never heard back from them.

Since he didn't hear from them again, he shot an email to the co-founders.

fh

 

But there was no acknowledgment.

Here's what he learnt:

"What I've learnt from my Experiences?1. Indian Companies don't pay the attention required for security of their Products.2. No Application/Website is entirely secure. Chances are, maybe someone is already exploiting the bugs right under their nose.3. The only way they understand the Importance of Bug Bounty Programmes is through Public Humiliation. Damage control is obligatory once you get hacked. Best Example – Ola Cabs4. Ethical Hacking is rarely appreciated.5. The process of resolution usually takes a lot of time here. I remember submitting a vulnerability to Mobikwik through their Official Programme. I was just able to Brute Force the OTP during Account Creation. They took like five weeks to get it over with & rewarded me with a sum of 2k ₹.

What needs to be changed?

1. Everything. From Cyber laws to the way security is dealt in our Country.2. Development & Maintenance isn't everything. The company should be secure from any kind of hacking attempts. Leak of private customer details would mean a massive lawsuit coming your way.Every Big startup/company should opt for a Bug Bounty Programme Or at least have a Responsible Disclosure Policy. Platforms such as Hackerone Or Bugcrowd can be used too.3. Appreciate & Acknowledge those who find loopholes in your system.4. The Cycle of Bug Identification- Resolution- Reward should be as fast as possible.5. Companies that don't have their own security Engineers can hire other firms to test their API's."

Serious talk aside, we're definitely very, VERY jealous!

Comment