An Ethical Hacker Reveals How He Booked a Flight From India to US in Just 1 Rupee!

Wait, there's more. He booked a flight to San Francisco for Re 1, booked another one for Rs. 4 and ended up getting a refund of Rs 2000. 😳 😳

Most Popular

Taking life *hacks* to a whole new level is this guy, Kanishk Sajnani, who's managed to turn everyone green with envy by booking cheap AF flights from several websites.

But, wait, this isn't just about him using bugs to his advantage, this 20 something genius has hacked into a lot of company websites and notified them about the countless bugs he discovered. Which was great. But, it's a bummer that most of the companies except Air India never rewarded him with money or recognition.

Advertisement - Continue Reading Below

Sharing his experience on Medium, Kanishk mentioned anecdotes from his hacking history that involved hacking Air India, SpiceJet, Cleartrip and a few more Indian websites. As per him, he did all of that in ONE month!

Image Source

Sajnani revealed how he managed to book a flight to San Francisco for just Re 1, booked the next one for Rs 4 and ended up getting a refund of Rs 2000. He also booked a free spa and got a refund of Rs 1199, too.

Most Popular

Back in 2015, when he had found a bug in the Air India portal and booked himself a seat on a US-bound flight for just Re 1. Yep! He could've travelled the world for free but no, instead, he send them an email, informing them about the bug.

Wait, there's more. Here are a few more screenshots he posted about his experience with Spicejet,

He thought the transaction would get flagged or someone would get in touch with him, but that didn't happen. The kacker said, "I decided to drop a mail to some senior Official. Shockingly, I wasn't even able to find out the email addresses of their CEO or CTO or CMO. All I could manage to find were these ( custrelations-nodalofficer & apppelateauthority@spicejet.com) With no choice left, I sent a similar email ( like one to Air India) to SpiceJet too. Their reply baffled me."

He then reached out to the General Manager, Mr Pradeep Shah (GM, Reservations), who asked him to forward the emails. Which he did, and this was the response he got.

"They sent me our previous correspondence in a .eml type file attached *Double Facepalm * This time the mail was signed by their Nodal Officer. Either they didn't understand the point I made Or they didn't like to acknowledge the fact that their security was compromised" he added.

Next on his list was Cleartrip. In marcg 2016, this hacker could've "booked flights, hotels, international holidays, trains, restaurant dates, massages, cultural events, sport activities. Anything for absolutely free." He shared the following screenshots in order.

Email to the Co-founders

He was asked if that could be discussed over a "quick call" but he refused to do that because:

"NEVER HAVE SUCH CONVERSATIONS OVER THE PHONE. A WRITTEN CORRESPONDENCE IS MUST ( YOU'LL HAVE PROOF IN CASE SOMETHING GOES WRONG) I MADE AN EXCUSE & ASKED HIM TO CONTINUE OVER HERE OR ON FACEBOOK."

He replied saying,

His replyThe Trip he booked

Oh, and then he encountered failed transactions too.

"ONE OF THEM WAS AUTOMATICALLY PROCESSED AS 'MONEY PAID BUT FAILED'. A REFUND REQUEST WAS GENERATED. MY MOBIKWIK WALLET WAS CREDITED WITH 1199 RUPEES."

He duly informed them about this activity too and never heard back from them.

Since he didn't hear from them again, he shot an email to the co-founders.

But there was no acknowledgment.

Here's what his take away was:

"What I've learnt from my Experiences?1. Indian Companies don't pay the attention required for security of their Products.2. No Application/Website is entirely secure. Chances are, maybe someone is already exploiting the bugs right under their nose.3. The only way they understand the Importance of Bug Bounty Programmes is through Public Humiliation. Damage control is obligatory once you get hacked. Best Example – Ola Cabs4. Ethical Hacking is rarely appreciated.5. The process of resolution usually takes a lot of time here. I remember submitting a vulnerability to Mobikwik through their Official Programme. I was just able to Brute Force the OTP during Account Creation. They took like five weeks to get it over with & rewarded me with a sum of 2k ₹.

What needs to be changed?

1. Everything. From Cyber laws to the way security is dealt in our Country.2. Development & Maintenance isn't everything. The company should be secure from any kind of hacking attempts. Leak of private customer details would mean a massive lawsuit coming your way.Every Big startup/company should opt for a Bug Bounty Programme Or at least have a Responsible Disclosure Policy. Platforms such as Hackerone Or Bugcrowd can be used too.3. Appreciate & Acknowledge those who find loopholes in your system.4. The Cycle of Bug Identification- Resolution- Reward should be as fast as possible.5. Companies that don't have their own security Engineers can hire other firms to test their API's."

Serious talk aside, we're definitely very, VERY jealous!

What do you think?

Life
Share
Francia Raisa Shows Her Scars for the First Time Since Donating a Kidney to Selena Gomez
"Happy to be back," she wrote on Instagram.
Life
Share
If Music Gives You Goosebumps, Your Brain Might Be Special
Science finally has an explanation for that tingly feeling.
Life
Share
I Lost 20 Lbs On The Anti-Inflammatory Dietβ€”And Fixed My Skin Forever
One month in, my life changed completely.
Life
Share
Why Some People Aren't So Happy About the New Royal Baby
Not everyone is excited about Will and Kate's expanding family.
Life
Share
Do-Nut Freak Out Over These Sweet New Disney Treats
Mickey! Mouse! Donuts!
Life
Share
Donald Trump and First Lady Melania Had Yet Another Very Awkward Handshake Moment
Did he just... push her?
Life
Share
Netflix Users, Beware of This Email Scam That Looks So Real It's Scary
Be sure to warn your friends!
Life
Share
Incredible Body Transformation Shows What Happens When You Ditch Cardio and Dieting
The difference is astounding.
Life
Share
What Your Go-To Sexy Bra Says About Who You Attract
The truth is very revealing.
Life
Share
No One *Really* Knows What Happens When Pregnant Women Drink Just a Little
Evidence of adverse effects is surprisingly sparse.