The air carrier, however, rubbished the traveller's claims and insisted its IT system is 'robust'.
Twitter/Agencies
A software engineer on Monday took to Twitter to reveal a ‘technical vulnerability’ on Indian air carrier IndiGo’s website, which he said "leaks sensitive data".
Nandan Kumar had travelled from Patna to Bangalore on an IndiGo flight the previous day. On arrival, he said his bag got exchanged with that of a co-passenger in “an honest mistake,” as both the bags were similar.
According to the thread, he said he called the airline’s customer care numbers, but in vain. The officials were not ready to provide the contact details of the person who took his bag and cited privacy and data protection as the reasons. They assured him that they would call him back after contacting the other person; however, this never transpired.
Kumar probed the airline’s website using the other passenger's PNR details, which were mentioned on his bag. “After all the failed attempts, my [developer] instinct kicked in and I pressed the F12 button on my computer keyboard and opened the developer console on the @IndiGo6E website and started the whole checkin flow with network log record on,” he explained.
He then managed to get the phone number and email ID of the other passenger, who happened to live close to his house in Bangalore. Both owners were able to successfully exchange the bags in their possession for their own.
Kumar urged IndiGo to have a more proactive customer care department and also warned it to fix its website, which “leaks sensitive data”.
The airline, however, rubbished his claims. In its response, IndiGo said its IT system is robust and has not been compromised.
It added that any passenger can retrieve their booking details using PNR, last name, contact number, or email address from the website. “This is the norm practiced across all airline systems globally."
However, the airline stated that Kumar's feedback has been "duly noted and will definitely be reviewed.”
ALSO READ: