IndiGo passenger’s Twitter thread on ‘low-key hacker moment’ goes viral

pic.twitter.com/GnnGKypGGJ

— IndiGo (@IndiGo6E) March 29, 2022

Kumar, whose Twitter bio says he is a software engineer, boarded an IndiGo flight from Patna to Bengaluru on March 27 and his bag got exchanged with his co-passenger as their luggage was similar in appearance. He contacted IndiGo’s customer care agents but their efforts in connecting him with the co-passenger were not fruitful. Citing privacy and data protection, the airline company did not provide him with the contact details of the co-passenger.

So long story short I couldn’t get any resolution on the issue. And neither your customer care team was not ready to provide me the contact details of the person citing privacy and data protection . @Ankurkrtweets take note of this, it gets interesting😝
5/n

— Nandan kumar (@_sirius93_) March 28, 2022

Tired of waiting for the call promised by IndiGo, he decided to “take the matter in his own hands”. Kumar tried to get the details of the co-passenger from the website by using the PNR written on the bag tag.

So I slept the night without any resolution to the issue. Thinking I may get a call in morning.

And after I did not get any calls from @IndiGo6E I decided to take the matter in my own hands 7/n

— Nandan kumar (@_sirius93_) March 28, 2022

“So, today morning I started digging into the indigo website trying the co passenger’s PNR which was written on the bag tag in the hope to get the address or number by trying different methods like check-in, edit booking, update contact, But no luck whatsoever,” Kumar tweeted.

So, today morning I started digging into the indigo website trying the co passenger’s PNR which was written on the bag tag in hope to get the address or number by trying different methods like check-in, edit booking, update contact, But no luck whatsoever.
8/n

— Nandan kumar (@_sirius93_) March 28, 2022

Kumar said his “dev instinct” then prompted him to press F12, which helped him open the developer console on the IndiGo website. He then managed to get his co-passenger’s details and later got their bags swapped after meeting them in person.

And there in one of the network responses was the phone number and email I’d of my co-passenger.

Ah this was my low-key hacker moment 😇😇 and the ray of hope.

I made note of the details and decided to call the person and try to get the bags swapped. #dev #dataleak #bug pic.twitter.com/9l4pmNDk6V

— Nandan kumar (@_sirius93_) March 28, 2022

And thankfully I was able to reach my co passenger with the phone number I got from the logs and luckily we lived in a close proximity of 6-7 KMs. So we decided to meet at a Center point and got our bags swapped.

Dear @IndiGo6E , take note of my next tweet and try to improve.

— Nandan kumar (@_sirius93_) March 28, 2022

Tagging IndiGo, the engineer suggested the airline company make their customer service more proactive than reactive. He also noted that the website leaks sensitive data and asked them to get it fixed.

Fun Fact:

When I asked my co passenger if he had got a call from indigo , he denied it saying he did not get any calls. While the agent claimed to me that They called three times. @IndiGo6E @Ankurkrtweets @scottishladki

— Nandan kumar (@_sirius93_) March 28, 2022

The Twitter thread grabbed netizens’ attention and some users found it interesting and funny while others pointed out that hacking a website was not right.

Amazing Story 😂
When you are a developer not just any other Engineer. https://t.co/pG9wYjGMAG

— hawabaz (@hawabazi) March 31, 2022

Everything happens for a purpose. And the purpose of this incident is to let the @IndiGo6E guys know that sensitive data needs to be protected. https://t.co/R3PEeo6Wzs

— Dr.Ananth (@Amazingananth) March 31, 2022

Neither our bags are safe nor our data 😂
Good job 👌 https://t.co/7xuQo3MqRT

— chink_s (@ch_inks) March 31, 2022

This shows huge vulnerability in your web security at @IndiGo6E Please fix this problem to avoid people losing their PII info… https://t.co/l4PyAx6AXd

— Abhay (@abhysin) March 31, 2022