There was a security flaw found in the Indian government’s income tax filing portal which was exposing sensitive taxpayers’ data that is now fixed by the Indian government’s tax authority as per a recent media report.
How Did This Happen?
This flaw was identified during September by a pair of security researchers, Akshay CS and “Viral,” which allowed anyone who was logged into the income tax department’s e-Filing portal to access up-to-date personal and financial data of other people.
Moving ahead, this flaw had exposed data which included full names, home addresses, email addresses, dates of birth, phone numbers along with the bank account details of people who pay taxes on their income in India.
Not only that, this flaw also exposed the citizens’ Aadhaar number which is a unique government-issued identifier used as proof of identity and for accessing government services in India.
As confirmed by the security researchers, the vulnerability was fixed on October 2 and it can no longer be exploited.
So far, the representatives for the Indian Income Tax Department acknowledged the request for comment, but did not release any statement yet.
What Was The Flaw And How Did It Granted Access to Sensitive Data?
It appears that the security researchers Akshay CS and “Viral” discovered this vulnerability while filing their recent income tax return on the government website.
As we already know, the residents of India are required to file their annual earnings to calculate the taxes they owe to the Indian government.
In their research, they found that when they signed into the portal using their Permanent Account Number (PAN), an official document issued by the Indian income tax department, they could view anyone else’s sensitive financial data by swapping out their PAN for another PAN in the network request as the web page loads.
This was possible by using publicly available tools such as Postman or Burp Suite (or using the web browser’s in-built developer tools) and with knowledge of someone else’s PAN, the researchers told TechCrunch.
They found that this bug was exploitable by anyone who was logged-in to the tax portal because the Indian income tax department’s back-end servers were not properly checking who was allowed to access a person’s sensitive data.
They have classified this vulnerability as an insecure direct object reference, or IDOR which is a common and simple flaw that governments have warned is easy to exploit and can result in large-scale data breaches.
Moving ahead, the researchers said, “This is an extremely low-hanging thing, but one that has a very severe consequence.”
Besides the individuals data, this bug also exposed data associated with companies who were registered with the e-Filing portal.
It appears that the bug exposed data on individuals who have yet to file their income tax returns this year.
After the discovery of this bug, the security researchers alerted India’s computer emergency readiness team, or CERT-In, to the security flaw soon after their discovery, but were not provided with a timeline for the fix.
A CERT-In representative said the Income Tax Department was already working to fix the vulnerability on September 30.
So far, it still remains unclear how long the vulnerability has existed or whether any malicious actors have accessed the exposed data.
Besides this, the exact number of users impacted by the exposed data is also unclear.
When it comes to the Income Tax Department’s portal, it lists more than 135 million registered users, and over 76 million users filed income tax returns in the financial year 2024-25 as per the public data available on the portal itself.
