Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
The Indian government’s tax authority has fixed a security flaw in its income tax filing portal that exposed sensitive taxpayer data, TechCrunch has exclusively learned and confirmed with the authorities.
The flaw, which was discovered in September by a pair of security researchers Akshay CS and “Viral”, allowed anyone who was logged in to Income tax electronic filing portal To access personal and financial data from other people.
The exposed data included full names, home addresses, email addresses, dates of birth, phone numbers and bank account details of people paying taxes on their income in India. The data also revealed citizens’ Aadhaar number, a unique government-issued identifier used as proof of identity and access to government services.
TechCrunch verified the data to the best of its ability by granting permission to researchers to search for this reporter’s records on the portal.
Security researchers confirmed to TechCrunch on October 2 that the vulnerability has been fixed. Given the risks to the public, TechCrunch withheld publication of this story until security researchers confirmed that the vulnerability could no longer be exploited.
Representatives of the Indian Ministry of Income Tax acknowledged our email seeking comment, but did not respond to our questions by press time. The Income Tax Department did not raise any objections to the publication of this story.
“Extremely Low Pending” bug grants access to sensitive data
Security researchers Akshay CS and “Viral” told TechCrunch that they discovered the vulnerability while filing a recent income tax return on the government website.
Residents of India must submit their annual earnings to calculate the taxes they owe to the Indian government.
The researchers found that when they signed up to the portal using their Permanent Account Number (PAN), an official document issued by the Indian Ministry of Income Tax, they could view everyone else’s sensitive financial data by switching another pan in the network request as the web page loaded.
This can be done using publicly available tools such as Postman or Burp wing (or using developer tools built into the web browser) and with someone else’s general knowledge, the researchers told TechCrunch.
This bug was exploitable by anyone logged into the tax portal because the Indian Income Tax Ministry’s back-end servers did not properly verify who was allowed access to someone’s sensitive data. This class of vulnerability is known as Insecure Direct Object Reference, or Idor, a common and simple flaw Governments have warned that it is easy to exploit It can lead to large-scale data breaches.
“This is something that is very low hanging, but has a very severe consequence,” the researchers told TechCrunch.
In addition to individuals’ data, researchers said the errors also revealed data associated with companies that were registered with the e-filing portal.
TechCrunch also verified the errors exposed on individuals who have not yet filed income tax returns this year. We confirmed this by asking the person who had not yet filed their tax returns with their permission to have researchers search for their information using a gatebug.
cert-in recognizes the security flaw
Security researchers alerted India’s emergency preparedness team, or security certifier, to the security flaw soon after they discovered it, but were not provided with a timeline for a fix.
When contacted by TechCrunch on September 30, an Income Certification representative said that the Income Tax Department was already working on fixing the vulnerability.
The Indian Ministry of Finance did not return TechCrunch’s request for comment. After reaching the Income Tax Department regarding the vulnerability, the systems general manager acknowledged receipt of the TechCrunch email on October 1, but did not comment further.
It remains unclear how long the vulnerability was present or whether any malicious actors accessed the exposed data. It did not respond to these questions when asked by TechCrunch.
The exact number of users affected by the exposed data is also unclear. The Ministry of Income Tax portal lists over 135 million registered users, and over 76 million users filed income tax returns in the financial year 2024-25, per General data Available on the portal itself.