The Indian government’s tax authorities have fixed a security flaw in its income tax filing portal that exposes sensitive taxpayer data.
The flaw, discovered by security researchers Akshay CS and ‘Viral’ in September, allowed anyone who logged into the Income Tax Department’s e-filing portal to access other people’s latest personal and financial data.
The exposed data included full names, home addresses, email addresses, dates of birth, phone numbers, and bank account details of people who pay taxes on their income in India. The data also exposed Aadhaar numbers of citizens. This is a unique government-issued identifier used as proof of identity and to access government services.
TechCrunch has verified the data to the best of its ability by granting researchers permission to search this reporter’s records on the portal.
Security researchers confirmed to TechCrunch on October 2 that the vulnerability had been fixed. Given the risk to the public, TechCrunch withheld this story from publication until security researchers confirmed the vulnerability could no longer be exploited.
A representative from India’s Income Tax Department acknowledged an email requesting comment but did not respond to questions per press time. The Income Tax Department did not object to the publication of this story.
‘Very low’ bug allowed access to sensitive data
Security researchers Akshay CS and ‘Viral’ told TechCrunch that they discovered the vulnerability while filing recent income tax returns on government websites.
Residents of India are required to submit their annual earnings to calculate the taxes owed to the Indian government.
Researchers have discovered that when people sign on a portal using their Permanent Account Number (PAN), an official document issued by India’s Income Tax Department, they can see other people’s sensitive financial data by swapping PAN for another PAN in a network request when the web page is loaded.
This can be done using publicly available tools such as Postman or Burp Suite (or using your web browser’s built-in developer tools).
The bug was exploitable by anyone logged into the tax portal as the backend servers of the Income Tax Department of India did not properly check who was allowed access to a person’s sensitive data. This class of vulnerabilities is known as unstable direct object references, a common and simple flaw that the government warns can easily result in a large-scale data breach.
“This is very low, but it has very serious consequences,” researchers told TechCrunch.
In addition to personal data, researchers said the bug also exposed data related to companies registered on the electronic filing portal.
TechCrunch also confirmed that the bug exposed data about individuals who have not yet filed income tax returns this year. We confirmed this by asking people who had not yet filed their tax returns for permission to have their information examined by researchers using the portal bug.
CERTIN admits security flaws
Security researchers alerted India’s Computer Emergency Preparedness Team (Certificate) to the security flaw soon after it was discovered, but no timeline for a fix was provided.
When contacted by TechCrunch on September 30, a Cert-In representative said the Income Tax Department was already working to fix the vulnerability.
India’s Ministry of Finance did not return TechCrunch’s request for comment. After reaching out to the Income Tax Department regarding the vulnerability, the system director acknowledged receipt of TechCrunch’s email on October 1, but did not comment further.
It remains unclear how long the vulnerability existed and whether malicious parties had access to the exposed data. Cert-in did not respond to these questions when asked by TechCrunch.
The exact number of users affected by the exposed data is also unknown. The Income Tax Department’s portal lists over 135 million registered users and over 76 million users have filed income tax returns for the financial year 2024-25, as per public data available on the portal itself.
