Man Hacks Airline's Website to Track Down Luggage

A man claims to have hacked an Indian airline’s website to retrieve his missing luggage.

The 28-year-old, named Nandan Kumar, had initially called airline IndiGo in an attempt to track down the bag that had been mixed up with another passenger’s, but after the low-cost carrier allegedly refused to assist with identifying them, Mr Kumar took matters into his own hands.

man hacks indian airline indigo website to find luggage — IndiGo claims calls to Mr Kumar to help reunite him with his luggage went unanswered. © Md Shaifuzzaman Ayon

Despite not being a professional hacker, Mr Kumar felt he had no choice but to “do something” to locate his luggage.

Hey @IndiGo6E ,
Want to hear a story? And at the end of it I will tell you hole (technical vulnerability )in your system? #dev #bug #bugbounty 😝😝 1/n
— Nandan kumar (@_sirius93_) March 28, 2022

Mr Kumar told reporters that he only became aware of the situation once he arrived home, as both passengers’ bags were identical.

As the Passenger Name Record number was printed on the luggage tag, he called the airline to ask for information about the passenger, but citing data protection rules, they refused to assist.

IndiGo commented that their staff “followed protocol by not sharing any other passenger’s contact details with another passenger – this is in line with our data privacy policies.”

The customer service member advised Mr Kumar that they would identify the other passenger themselves and reach out once they had done so – “but the call never came.”

Data not encrypted

After attempting to use the little information he had to access the passenger’s booking online, he realised another possible route.

“After all failed attempts, my developer instinct kicked in, and I pressed the F12 button on my computer keyboard and opened the developer console on the IndiGo website. I thought, ‘let me check the network logs’.”

He was then able to quickly retrieve the passenger’s telephone number after looking for any details which would allow him to get in touch. Mr Kumar said he was surprised he could access the data, as it should have been encrypted.

IndiGo commented that “at no point was the IndiGo website compromised”.

Mr Kumar finally called his fellow passenger using the number from the website logs, and the two reunited to swap their bags.

The airline said it was “reviewing this case in detail” and emphasised its “IT processes are completely robust”.

Are you surprised that Nandan Kumar was able to retrieve the contact details of his fellow passenger? Let us know in the comments below.