India’s Income Tax Portal Security Flaw Exposed Taxpayer Data
▼ Summary
– The Indian tax authority fixed a security flaw in its e-Filing portal that exposed sensitive taxpayer data, including personal and financial information.
– The vulnerability allowed logged-in users to access others’ data by manipulating PAN identifiers in network requests, exploiting an insecure direct object reference (IDOR) flaw.
– Exposed data included full names, addresses, email addresses, phone numbers, bank details, and Aadhaar numbers for both individuals and registered companies.
– Security researchers discovered the flaw in September and confirmed it was fixed by October 2, with TechCrunch delaying publication until the vulnerability was resolved.
– The portal has over 135 million registered users, though it’s unclear how long the vulnerability existed or if malicious actors accessed the data.
A significant security vulnerability on India’s official income tax filing platform potentially exposed the confidential financial and personal information of millions of taxpayers. The security flaw, now resolved, allowed individuals logged into the e-Filing portal to access other users’ sensitive data, including bank account details and government identification numbers.
The issue was identified in September by security researchers Akshay CS and “Viral.” They found that after signing into the portal with their own Permanent Account Number (PAN), they could retrieve another taxpayer’s complete records by simply substituting a different PAN in the web request. This technique could be executed using common software tools available to the public.
Data accessible through this flaw included individuals’ full names, residential addresses, email contacts, birth dates, mobile numbers, and comprehensive bank information. Critically, it also revealed citizens’ Aadhaar numbers, a government-issued identity document essential for accessing public services. The researchers verified the bug’s functionality by accessing a TechCrunch reporter’s records with permission, confirming the severity of the exposure.
This type of security weakness is categorized as an insecure direct object reference (IDOR), a fundamental flaw where backend systems fail to properly verify user authorization before granting data access. The researchers described the vulnerability as “an extremely low-hanging thing, but one that has a very severe consequence,” noting it could have enabled widespread data breaches.
The security researchers promptly reported their findings to India’s Computer Emergency Response Team (CERT-In). While CERT-In acknowledged the report, they did not provide a specific timeline for implementing a solution. Following TechCrunch’s inquiry on September 30th, a CERT-In representative confirmed that the Income Tax Department was actively addressing the problem.
By October 2nd, the researchers confirmed the vulnerability had been successfully patched, preventing further exploitation. TechCrunch delayed publishing this information until receiving confirmation that the security gap was closed, prioritizing public safety.
The security lapse also potentially exposed information belonging to registered companies using the e-Filing portal. Additionally, the flaw affected individuals who had not yet submitted their annual tax returns for the current financial year, as confirmed through authorized testing.
The exact duration the vulnerability existed and whether any malicious parties exploited it remain unknown. Officials from the Income Tax Department acknowledged receipt of media inquiries but declined to provide specific comments. The Ministry of Finance similarly did not respond to requests for information.
With over 135 million registered users on the platform and more than 76 million individuals filing returns in the 2024-25 financial year, the potential scale of this data exposure was substantial. The incident highlights ongoing challenges in securing critical government digital infrastructure that handles citizens’ most confidential financial information.
(Source: TechCrunch)
