Security Flaw in India’s Income Tax Portal Compromises Sensitive Taxpayer Data

TechCrunch has obtained exclusive confirmation that India’s tax authority has successfully addressed a significant security vulnerability in its income tax filing platform, which was putting taxpayers’ sensitive information at risk.

The flaw, identified by security researchers Akshay CS and “Viral” in September, allowed any logged-in user of the income tax department’s e-Filing portal to access the personal and financial details of others.

Compromised data included full names, residential addresses, email addresses, dates of birth, phone numbers, and banking information of Indian taxpayers. Furthermore, it exposed Aadhaar numbers, a unique identifier issued by the government for identity verification and access to public services.

TechCrunch confirmed this information through permission granted to the researchers, enabling them to examine this reporter’s records on the portal.

On October 2, security researchers informed TechCrunch that the vulnerability had been fixed. Due to public safety concerns, TechCrunch delayed publishing this news until it received assurance that the flaw was no longer exploitable.

Although representatives from the Indian Income Tax Department acknowledged TechCrunch’s request for comments, they did not provide a response by the time of publication. The department raised no objections to this story’s release.

‘Extremely Low-Hanging’ Flaw Exposes Sensitive Data

Researchers Akshay CS and “Viral” reported to TechCrunch that they found the vulnerability while filing their recent income tax returns on the official government website.

Indian citizens are required to file their annual earnings to determine their tax liabilities to the government.

The researchers discovered that by logging into the portal with their Permanent Account Number (PAN)—an official document from the income tax department—they could access other users’ sensitive financial information by replacing their PAN with another one during the loading of the network request.

This could be executed using widely accessible tools like Postman, Burp Suite, or even the web browser’s built-in developer tools, provided the individual held knowledge of someone else’s PAN, the researchers indicated to TechCrunch.

The vulnerability was available to any logged-in user because the backend servers of the Indian income tax department failed to adequately verify access permissions for sensitive information. This vulnerability is categorized as an insecure direct object reference (IDOR), a common weakness that governments have warned is relatively easy to exploit and can result in significant data breaches.

“This is an extremely low-hanging issue, but one with serious implications,” the researchers explained to TechCrunch.

Apart from individual data, the researchers pointed out that the flaw also laid bare information related to companies registered on the e-Filing portal.

TechCrunch further confirmed that the vulnerability unveiled information about individuals who had not yet filed their income tax returns for the year, verified by obtaining consent from someone who hadn’t submitted their returns, allowing the researchers to access their data via the portal bug.

CERT-In Acknowledges the Security Vulnerability

Following their discovery, the researchers alerted India’s Computer Emergency Response Team, CERT-In, about the security flaw but did not receive an expected timeline for the resolution.

In response to TechCrunch’s inquiry on September 30, a CERT-In representative stated that the Income Tax Department was already working on addressing the vulnerability.

The Indian Ministry of Finance did not respond to TechCrunch’s request for comments. When TechCrunch reached out to the Income Tax Department regarding the vulnerability, the Director General of Systems acknowledged the receipt of TechCrunch’s email on October 1 but did not provide further comments.

It remains unclear how long the vulnerability existed or whether any unauthorized individuals accessed the exposed information. CERT-In did not respond to these questions when approached by TechCrunch.

The total number of users impacted by the data breach is also uncertain. The Income Tax Department reports over 135 million registered users, with more than 76 million individuals having filed income tax returns for the financial year 2024-25, according to publicly available data from the portal.