Bollywood has a long history of characters who are “amazing hackers” (Remember Lord Bobby in Ajnabee?) but none of them stand a chance in front of this software engineer, who had to resort to “hacking”, to retrieve his lost luggage.
It all started when Nandan Kumar, a Bangalore-based software engineer, was travelling from Patna to Bangalore via an IndiGo flight, earlier this week. Unfortunately, his bag got exchanged with another passenger on the flight, since both the bags were similar looking.
Despite multiple calls and complaints with the airline, the issue could not be resolved. And, that’s when he decided to take the matter into his own hands.
I realised it only after I reached home when my wife pointed out that the bag seems to be a different from ours as we don’t use key based locks in our bags.
— Nandan kumar (@_sirius93_) March 28, 2022
PS: We have too much faith in airline staff 😝😝
So right after reaching home I called your customer care. 3/n
He located the PNR number of the passenger whose luggage got exchanged with his own and proceeded to track down the customer’s details.
And there in one of the network responses was the phone number and email I’d of my co-passenger.
— Nandan kumar (@_sirius93_) March 28, 2022
Ah this was my low-key hacker moment 😇😇 and the ray of hope.
I made note of the details and decided to call the person and try to get the bags swapped. #dev #dataleak #bug pic.twitter.com/9l4pmNDk6V
The process not only helped him find his lost luggage but also led to him discovering an apparent loophole in IndiGo’s system, that allowed for a data leak.
Dear,@IndiGo6E take note
— Nandan kumar (@_sirius93_) March 28, 2022
1. Fix your IVR and make it more user friendly
2. Make your customer service more proactive than reactive
3. Your website leaks sensitive data get it fixed.
You can check the entire thread here, where he even asked the airline to improve their services by considering his notes.
Hey @IndiGo6E ,
— Nandan kumar (@_sirius93_) March 28, 2022
Want to hear a story? And at the end of it I will tell you hole (technical vulnerability )in your system? #dev #bug #bugbounty 😝😝 1/n
The airline responded to his tweets, saying that due to data privacy policy, they are not allowed to share any passenger’s information and at no point was the airlines’ website compromised. You can read the entire tweet here:
— IndiGo (@IndiGo6E) March 29, 2022
Here’s what the netizens think of the entire incident:
In my career of 15 years in aviation this is surely the most amazing and epic way a passenger has resolved his query on his own. I shall surely contact you in the future if i ever need any specific info🤦🏻♂️. Hats off👏🏼
— Siddharth Agarwal (@discoversidd) March 28, 2022
Interesting. Moral of the story..Always check label tag before putting off the belt. Even if the bag looks exactly like yours (with a ribbon on the handle). Everyone can’t hack!!
— डॉक्टरनी Usha🇮🇳 (@upratap09) March 29, 2022
Are any Indian airlines compliant by GDPR ? You can very well sue Indigo in this instance of private data leak.
— Virender Jamnal (@virendersj) March 28, 2022
I also had similar experience but I found out as soon I left the airport n before I took a taxi. Luckily the other person was still in airport to charge his phone… we were able to exchange without much hassle
— why ✋🏼 (@sanyalrajesh) March 29, 2022
That means you are not a dev, more specifically front end dev. 😀
— Pradeep Gururani 🇮🇳 (@p_gururani) March 29, 2022
Loved how you took the matter in your hands and resolved this fiasco.
— Muskan Kumar (@muskanvkk) March 29, 2022
Makes for a great story too 😉
It’s better chance to success in hacking than to connect their customer support.
— Maharshi (@RainOnMountain) March 29, 2022
Interesting one! Thanks for sharing it.
— Santosh Mishra (@isantosh777) March 28, 2022
Hope you get rewarded for finding this bug!
Wow. Such a big airline has such a simple bug in their website. Unbelievable. https://t.co/HJ8QRNOzXM
— Ishann Daultani 👨💻 (@DaultaniIshann) March 29, 2022
@IndiGo6E This bug definitely needs to be fixed soon. Customer privacy needs to be taken more seriously. https://t.co/NAPaUQ0Zsm
— Shubham Sharma (@shubham_le) March 29, 2022
Power of a developer!🤟🏻🤟🏻#bugbounty https://t.co/u0vy35anHm
— No Bat Involved (@hariprasad_28) March 29, 2022
Indigo is leaking sensitive personal data of all its fliers. Beware. And @IndiGo6E hope you rush to fix this ASAP. https://t.co/9DEAvsphVl
— Shantinath Chaudhary (@shantihp) March 29, 2022
@IndiGo6E I am now so tempted to try this.. hope before I get time,you are able to fix this https://t.co/mm4sb0EXfq
— Office of Akshay Bhardwaj (@aksjas) March 29, 2022
Woah, give this man a reward already!
