Security Flaw in India’s Income Tax Portal Exposed Sensitive Data
India’s income tax department has resolved a significant security vulnerability in its e-Filing portal that exposed sensitive personal and financial data of taxpayers, TechCrunch has confirmed. The flaw, discovered by security researchers Akshay CS and “Viral,” allowed any logged-in user to access up-to-date records of other taxpayers by manipulating network requests.
Nature of the Vulnerability
The vulnerability was an insecure direct object reference (IDOR), a common yet critical security flaw. By substituting their own Permanent Account Number (PAN) with another’s in the portal’s network requests, users could retrieve sensitive data belonging to others. This included full names, addresses, email addresses, dates of birth, phone numbers, bank account details, and Aadhaar numbers — India’s unique government-issued identity number. The flaw was exploitable through widely available tools like Postman, Burp Suite, or browser developer tools, requiring only the knowledge of another person’s PAN.
Researchers’ Discovery and Verification
Security researchers Akshay CS and “Viral” discovered the issue while filing their own tax returns. They responsibly disclosed the vulnerability to India’s Computer Emergency Response Team (CERT-In) in September. TechCrunch independently verified the flaw by obtaining permission to access this reporter’s data through the portal. The researchers confirmed on October 2 that the issue had been fixed. Given the sensitivity of the data, publication was delayed until the fix was confirmed.
Government Response
CERT-In acknowledged the vulnerability and stated the Income Tax Department was actively addressing it. However, neither CERT-In nor the Income Tax Department provided a timeline for the fix or details on the breach’s duration and scope. Requests for comment from the Indian Ministry of Finance and the Income Tax Department went unanswered, although the department acknowledged TechCrunch’s outreach.
Scope and Impact
The exact period during which the vulnerability existed is unknown, as is whether malicious actors exploited it. The portal has over 135 million registered users, with more than 76 million filing income tax returns in the 2024-25 fiscal year, indicating the potential scale of data exposure. The bug also exposed data related to companies registered on the e-Filing portal and individuals who had not yet filed their returns for the current year.
Security Implications
“This is an extremely low hanging thing, but one that has a very severe consequence,” the researchers told TechCrunch, emphasizing the ease of exploitation and the critical nature of the exposed data.
FinOracleAI — Market View
The discovery and remediation of this IDOR vulnerability in India’s tax portal underscore the persistent cybersecurity challenges faced by government digital services handling sensitive citizen data. While the patch mitigates immediate risks, the incident highlights systemic issues in access control and data protection.
- Opportunities: Strengthening authentication and authorization protocols; implementing rigorous security audits for government portals; raising public awareness about data privacy.
- Risks: Potential exploitation by malicious actors before the fix; erosion of public trust in government digital infrastructure; risk of identity theft and financial fraud from exposed Aadhaar and bank details.
Impact: The incident is a cautionary example of the vulnerabilities inherent in large-scale digital government platforms. It calls for enhanced cybersecurity investment and transparent communication to restore taxpayer confidence.
