The Indian government’s tax authority has patched a significant security flaw in its official income tax filing portal that was exposing a vast amount of taxpayers’ sensitive personal and financial data. TechCrunch has exclusively learned and confirmed that the vulnerability is now fixed.
The flaw, discovered in September by security researchers Akshay CS and “Viral,” allowed any user logged into the Income Tax Department’s e-Filing portal to access the up-to-date data of any other taxpayer.
What Data Was Exposed?
The exposed information was highly sensitive and included details critical for identity verification and financial transactions:
- Personal Identifiers: Full names, home addresses, email addresses, dates of birth, and phone numbers.
- Financial Details: Bank account details.
- Government ID: Citizens’ Aadhaar number, a unique government-issued identifier essential for accessing various services.
The researchers, with permission, were even able to look up a reporter’s records, confirming the severity of the data leak. TechCrunch withheld publishing the story until the researchers confirmed the vulnerability was fully patched on October 2.
An “Extremely Low-Hanging” Flaw
The researchers discovered the bug while filing their own income tax returns. They found that by simply swapping out their Permanent Account Number (PAN)—an official tax document number—for another taxpayer’s PAN within the network request, they could view the other person’s entire financial profile.
This exploit, achievable using common web developer tools like Postman or Burp Suite, was possible because the Indian Income Tax Department’s back-end servers were not properly verifying who was authorized to access the data.
This type of vulnerability is known as an Insecure Direct Object Reference (IDOR)—a common and simple programming error that can lead to large-scale data breaches. “This is an extremely low-hanging thing, but one that has a very severe consequence,” the researchers told TechCrunch.
The bug didn’t just affect individuals; it also exposed data associated with companies registered on the e-Filing portal, as well as individuals who had not yet filed their returns for the year.
Official Response Remains Limited
The researchers alerted CERT-In (India’s computer emergency readiness team) immediately after their discovery. While a CERT-In representative confirmed on September 30 that the Income Tax Department was working on a fix, authorities have been largely silent:
- The Indian Ministry of Finance did not respond to requests for comment.
- The Income Tax Department acknowledged receipt of TechCrunch’s email but offered no further comment.
It remains unclear how long the vulnerability existed or whether any malicious third parties exploited the flaw before it was fixed. The potential scale of the exposure is significant, as the tax portal has over 135 million registered users, with more than 76 million filing returns in the 2024-2025 financial year.
