We live in a world of password managers, Face ids and biometric authentication. We talk about data privacy and internet education and still flaunt our boarding passes on insta stories.
Yeah….a totally safe thing to do!
The surface web has turned out to be not so private, but an ocean of our personal information floating all around. - Did you know your attention time is worth less than even a dollar? - The Social Dilemma. - We are sold wholesale!
One of the recent flaws in the illusions of safe internet came to light thanks to a bag exchange and Indigo Airlines.
The story we are looking at today is from a passenger of Indigo whose bag got exchanged at the airport for which the lad decided to take the company’s entire reputation down to get his bag back. Well, that came flying faster than Will Smith slapping Chris Rock.
Nandan Kumar, a software engineer, was travelling from Patna to Bengaluru through an Indigo flight, where he got his bag exchanged with a co-passenger. The bag looked identical. Nandan didn’t realise that it wasn’t his bag till he got home. As soon as he comprehended, his first call to action was to connect with Indigo’s customer support.
The customer support was well… as expected.
It wasn’t prompt at all. Even after that, they didn’t connect him to the other passenger - (or as they said. - Actually who’s watching them except ATC) Neither were they willing to let Nandan know his information to try for himself. Nandan waited but was adamant that he wanted his bag back. You can’t keep engineers waiting for too long, except for job interviews. So, he decided to take matters into his own hands.
All he had, was the other passenger’s PNR number which he found on the bag. Nandan went straight for Indigo’s website, hoping to find something while logging in using that particular PNR number. He pressed ‘f12’ on his keyboard and started scrolling the network logs in the developer’s console. And guess what, somewhere in the forbidden streets of the website he found it.
In one of the network responses, he found the email address and phone number of his co-passenger.
How much time, effort and expertise did it take? We replicated the process and it took us 10 minutes to get to that particular file. Please don’t try this at home!!
This meant anyone on the internet can access your personal information with just your PNR number and your last name, which by the way many of us casually boast on the internet.
Though, Indigo did respond in quite a professional and defensive manner stating - that the information available is supposed to be there for people to view and their website wasn’t compromised, because they remain fully committed to consumer data privacy and industry benchmark cybersecurity standards. Yet, a personal details file is sitting in their log unencrypted - Well, - “Yeh toh Doglapan Hai.”
This has sparked the age-old debate of data privacy, yet again. We live in a world where either you shell some bucks for being ad-free or sell data points on yourself to get your favourite services for free. It’s an exchange most internet consumers did not consent to, well, they did but just were not aware of it. And just like many tales, this will too fade away, once the media turns its eyes somewhere else.
All you can do is, Stay Vigilant on the Internet! as always - Accha Laga Share Karo!