Indian hacker pwned Air India, SpiceJet & Cleartrip; booked free flights

Kanishk Sajnani, a young ethical hacker who is in his early 20s, recently managed to conduct a hacking spree and reward himself a discounted flight, a free ticket and much more. However, instead of doing the things he could, he simply informed the respective companies about the flaws their systems had. This is what ethical hacking is all about.

Kanishk Sajnani / Image Source: Facebook

The Air India hack

Sajnani was able to hack into the application tracking system of Air India in 2015 (but only disclosing it now in 2017) and exploited a major vulnerability that allowed him to book a ticket from India to San Francisco for just Re 1.

Email sent by Sajnani to Air India / Source: Medium

However, he immediately emailed Air India notifying them of the vulnerability that resided in their tracking system and consequently received a call from the manager of finance asking Sajnani to prove his claims. He followed the request accordingly and was rewarded for his efforts.

Proof sent by Sajnani to Air Indian / Source: Medium

SpiceJet got spiced

SpiceJet was another one of Sajnani’s victims. This time, however, it was not only the system that was defective; rather it was an entire department which did not pay attention to the irregularities of the transactions that Sajnani was able to carry out.

Essentially, Sajnani booked a flight from Ahmedabad to Goa for just Rs. 4. The actual flight would have cost him Rs. 4,000. Later, however, he canceled the ticket and made himself eligible for a refund of Rs. 2000. However, Sajnani had to call the helpline informing them he has canceled the ticket and should, therefore, receive a refund.

Proof sent by Sajnani to SpiceJet / Source: Medium

This implies that no one in Spice Jet was aware of what was happening and was also not responsible enough to automatically give Sajnani his refund. Nevertheless, he emailed Spice Jet informing them of the vulnerability in their system. The reply that he got first was simply alarming since it stated that Sajnani could email his resume to the careers department if he wants an internship. Seeing such a response, Sajnani then reached out to the General Manager of Spice Jet, Mr. Pradeep Shah and the reply he got had a .eml attachment named “Double Facepalm.”

Reply from Spice Jet / Source: Medium
  • “They sent me our previous correspondence in a .eml type file attached *Double Facepalm * This time the mail was signed by their Nodal Officer. Either they didn’t understand the point I made Or they didn’t like to acknowledge the fact that their security was compromised.”
Another unrelated reply from SpiceJet / Source: Medium

Cleartrip and Sajnani’s attempt to enjoy the luxury of a lifetime

Sajnani hacked into Cleartrip’s booking system and booked himself a flight for free. He notified the company by sending out an email. Later, the company responded back requesting Sajnani to call them and explain the vulnerability. Nevertheless, realizing the danger of talking about these things over a phone, Sajnani refused and asked them to continue the correspondence over email.


Email from Sajnani to Cleartrip / Source: Medium

Sajnani then explained the vulnerability through an email.

Furthermore, the payment system of Cleartrip was found defective as it entitled Sajnani for a Rs. 1,199 refund and the money was credited in his Mobiwik wallet. Sajnani informed Cleartrip regarding this issue as well but did not hear back.

Proof of hack / Source: Medium
Proof of hack (2) / Source: Medium
  • “I deliberately tried to hack into each one of them. This is just something I love. Obviously, I never shared any of my findings with anyone else. I’m doing it now because their applications have been updated & thus bugs have been removed,” Sajnani wrote in his post on Medium.

What this all means?

Sajnani, for one, was highly disappointed since only a couple of companies responded him professionally, while others either ignored it or took it as a joke. This implies that such companies are too arrogant to accept the weaknesses in their systems.

Sajnani stated that at least these companies should have the courtesy of replying appropriately when someone is pointing out the flaws in their digital systems. All of this implies that we all are vulnerable to theft and security breaches and no company is cautious enough to address such issues.

The importance of cyber security in India:

Although CloudFlare bug bounty reward is often ridiculed for being a meager t-shirt; companies in India seem oblivious to the ridicule and are doing somewhat similar. Last week HackRead exclusively broke the news about the Zomato hack where it turned out that their bug bounty reward is just a simple certification. This shows that most of the giants are willing to make money but when it comes to spending on their security they are not ready for it or are not willing to absorb the expense.

Furthermore, the replies from the companies Sajnani got in touch with also show a lack of education regarding the cyber security in India. While it’s true that India might be the next big thing in the world of technology, the need to educate officials at companies like Air India, SpiceJet and Zomato is a necessity like never before.

Image Credit: Shutterstock

DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.

Related Posts