Kumar, who is a software engineer according to his Twitter bio, took advantage of a “technical vulnerability” to obtain details of the co-passenger who had his luggage.
He managed to find the passenger’s contact details via the IndiGo site which he then used to retrieve his luggage. Kumar took to Twitter to tell others how he did it.
“Hey @IndiGo6E. Want to hear a story? And at the end, I’ll tell you about a flaw (technical vulnerability) in your system?” Kumar’s first tweet from the thread read.
The passenger shared details of his flight and how the “error” caused the baggage swap.
“An honest mistake on our part. As the bags are exactly the same with a few minor differences,” he said.
Kumar realized he had chosen the wrong bag only after returning home when his wife pointed it out. “So right after I got home I called your customer service,” Kumar said in his tweet to IndiGo.
He then shared that it was a difficult task and a long wait to reach the airline’s customer service agent, who then tried to connect him to the co-passenger, but to no avail.
“So long story short, I was unable to get a resolution to the issue. And neither your customer service team was willing to provide me with the contact details of the person citing privacy and data protection,” a- he writes.
When the IndiGo agent did not return to Kumar even the next morning with details of his luggage, he decided to take matters into his own hands and started rummaging through the airline’s website.
“So now, after all the failed attempts, my dev instinct kicked in and I pressed the F12 button on my computer keyboard and opened the dev console on the @IndiGo6E website and started whole logging stream with network logging enabled,” he added.
Hey @IndiGo6E, wanna hear a story? And in the end I will tell you a hole (technical vulnerability) in your s… https://t.co/zWjYqgwRru
—Nandan kumar (@_sirius93_) 1648471157000
And in one of the replies from the network, Kumar found the phone number and email address of his co-passenger who had his luggage.
“Ah, that was my low key hacking moment and the silver lining,” he said, adding that he called him, who luckily lives not far from his home in Bengaluru and the two are then met halfway and swapped bags. .
Kumar ended his Twitter feed, which has now gone viral, claiming that IndiGo’s website is leaking sensitive data.
However, the airline responded to him on Twitter, saying their IT processes were fully robust and that at no time had the IndiGo website been compromised.