How this guy found a security vulnerability on an airline’s website to locate his lost luggage

Dealing with airlines can be a headache, although there are certainly those who are willing to take extreme measures to get what they want. Such is the case of Nandan Kumar, an Indian citizen who claims to have hacked the website of a local airline to find his lost luggage.

After exchanging one of his bags with another passenger on a flight of the low-cost airline IndiGo, Kumar asked the company for help tracking his luggage, a request rejected by the airline. Faced with this situation, Kumar decided to track his luggage by extracting information from IndiGo’s systems.

In this regard, the airline ensures that its computer systems have not been compromised in any way.

While he denies being anything like a professional hacker, Kumar mentions that he had to do something to retrieve his luggage. In a series of tweets, the software engineer claims that when he arrived at the airport’s baggage belt, a passenger simply took his luggage and left.

Kumar realized the mistake after arriving home, as both suitcases looked exactly the same. However, the user managed to identify the other person’s registration number through a baggage tag, but when he called the airline to ask for information about the passenger, they refused to help, alluding to the terms of data protection.

The airline issued a statement specifying that its customer service team followed up on the user’s request, which was rejected so as not to expose the data of any other passenger, ending the matter: “Although an agent assured me that they would try to contact the other passenger, I never received an update on it.”  Kumar mentions.

The next day the software engineer began researching on his own, testing the airline’s websites with some analysis methods: “After multiple failed attempts, I simply pressed F12 and the developer console was opened on the IndiGo website, which allowed me to review the network logs,” he adds.

Kumar found the other passenger’s phone number, information that should have been protected with encryption. In the end, both passengers were able to make contact and return their bags, although this should be a cybersecurity lesson for the company’s administrators.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.