This is the exciting (yet a little disappointing. We will get into that in a bit.) story of how a responsible hacker broke into numerous websites, detected security vulnerabilities and instead of using them for his own benefit, reported them to the respective companies.
It’s a little disappointing because almost none of them (except Air India) rewarded him with respect, recognition or money.One such ethical hacker is this “20 something”, Kanishk Sajnani. He’s hacked into many portals, discovered countless bugs in the security systems and ethically informed the concerned websites about it.
“I never shared any of my findings with anyone else. I’m doing it now because their applications have been updated & thus bugs have been removed.”
In a very detailed first person account, Sajnani revealed how he managed to book a flight to San Francisco for just Re 1, booked another flight for Rs 4 and got a refund of Rs 2000, booked a free Spa and got a refund of Rs 1199 and his tale of free biryanis, too.
In 2015, he found a bug in the Air India portal and booked himself a seat on a US-bound flight for just Re 1. Yep! He could’ve travelled the world for free. But did he do that? Nope! Instead, he wrote them an email (on November 4, 2015), informing them about the bug. But a call was waiting for him.
“Received an unexpected phone call from their Manager(Finance) on 12th Nov 15′. He asked me to prove if such a vulnerability existed & Oh boy! Did I?”
The details were legit and the manager asked him about the rectification measures, for which he sent the details (POC- Proof of Concept) via email. They did offer him an internship, but he didn’t take it up.
Then, comes the tale of SpiceJet. He found a “similar vulnerability in SpiceJet’s Mobile application” and informed them. On October 28, 2015, Kanishk booked a ticket to Goa from Ahmedabad which was worth Rs 4000, but he actually paid Rs 4 for it.
He thought the transaction would get flagged or someone would get in touch with him, but it didn’t happen,
“I decided to drop a mail to some senior Official. Shockingly, I wasn’t even able to find out the email addresses of their CEO or CTO or CMO. All I could manage to find were these ( custrelations-nodalofficer & email@example.com) With no choice left, I sent a similar email ( like one to Air India) to SpiceJet too. Their reply baffled me.”
He then reached out to the General Manager, Mr Pradeep Shah (GM, Reservations), who asked him to forward the emails. Which he did, and this was the reply he got.
“They sent me our previous correspondence in a .eml type file attached *Double Facepalm * This time the mail was signed by their Nodal Officer. Either they didn’t understand the point I made Or they didn’t like to acknowledge the fact that their security was compromised.”
The ticket was valid still but Sajnani cancelled it himself on November 21. The cancellation mail didn’t mention any refund amount. So, he called up the helpline and was told that he was eligible for a refund of Rs 2000, which can be credited to his account or could be used on his next trip. His observation? The financial systems’ back-end couldn’t detect irregularities in payment.
Next was Cleartrip. This was in March 2016. He could’ve “booked flights, hotels, international holidays, trains, restaurant dates, massages, cultural events, sport activities. Anything for absolutely free.” He shared the screenshots in order.
He was asked if that could be discussed over a “quick call”. Kanishk refused it because…
“Never have such conversations over the phone. A written correspondence is must ( You’ll have proof in case something goes wrong) I made an excuse & asked him to continue over here Or on Facebook.”
And, was enticed with a reward-bait.
He responded saying,
Oh, and then he encountered failed transactions too.
“One of them was automatically processed as ‘Money Paid but failed’. A refund request was generated. My Mobikwik wallet was credited with 1199 Rupees.”
He duly informed them about this too. And, didn’t hear from them again. Next thing he knows, MobiKwik wallet was taken down from their Application and never put back up.
Since he didn’t hear from them again, he shot an email to the co-founders.
But there was no acknowledgment.
You can read his entire blog here.