The tax authority of the Indian government has corrected a security flaw in its income tax declaration portal which exposed the sensitive data of taxpayers, TECHCRANCHED TECHCRANDED to the authorities.
La Faille, discovered in September by two AKSHAY CS and “Viral” security researchers, allowed any person connected to the electronic deposit portal of the income tax service to access personal and financial data up to date with other people.
The data on display included complete names, personal addresses, e-mail addresses, birth dates, telephone numbers and bank details of people who pay taxes on their income in India. The data also revealed the Aadhaar number of citizens, a unique identifier issued by the government used as proof of identity and to access government services.
Techcrunch checked the data at best its capacity by authorizing researchers to consult the recordings of this journalist on the portal.
Security researchers confirmed to Techcrunch on October 2 that vulnerability had been corrected. Given the risk for the public, Techcrunch refused to publish this story until security researchers confirm that vulnerability can no longer be exploited.
Representatives of the Indian Income Tax Department acknowledged receipt of our email requesting comments, but did not answer our questions at the time of publication. The Ministry of Income Tax has not presented any objection to the publication of this story.
An “extremely simple” bug grants access to sensitive data
Security researchers Akshay CS and “Viral” told Techcrunch that they had discovered the vulnerability when submitting their recent declaration of income on the government’s website.
Indian residents are required to declare their annual income to calculate the taxes they owe to the Indian government.
The researchers discovered that when they connected to the portal using their permanent account number (PAN), an official document issued by the Indian income tax department, they could consult the sensitive financial data from anyone else by exchanging their part against another section in the request of the network when loading the web page.
This could be done by using tools accessible to the public such as Postman or Burp Suite (or using the development tools integrated into the web browser) and knowing someone else’s part, Techcrunch researchers said.
The bug was usable by anyone connected to the tax portal, because the main servers of the Indian income tax department did not check properly who was authorized to access the sensitive data of a person. This vulnerability class is known by the reference name of an unsecured direct object, or IDOR, a current and simple flaw which, according to governments, is easy to exploit and can cause large -scale data violations.
“This is an extremely simple thing, but that has very serious consequences,” the researchers told Techcrunch.
In addition to the data from individuals, the researchers said that the BUG also exhibited data associated with companies registered on the E-Filing portal.
Techcrunch also verified that the BUG exposed data on people who have not yet produced their income tax return this year. We confirmed this by asking a person who had not yet filed their tax return for authorization to allow researchers to search for their information using the portal bug.
Cert-in recognizes a security flaw
Security researchers alerted the Indian IT preparation team, or Cert-In, the security flaw shortly after their discovery, but did not receive a calendar for correction.
Contacted by Techcrunch on September 30, a CERT-IN representative said that the income tax department was already working to correct the vulnerability.
The Indian Finance Ministry did not respond to the request for comments from Techcrunch. After contacting the income tax department about vulnerability, the Director General of Systems acknowledged reception of the Techcrunch email on October 1, but did not make additional comments.
It has not been known for how long the vulnerability exists or if malicious actors have accessed the data on display. Cert-In did not answer these questions asked by Techcrunch.
The exact number of users affected by the data on display is not clear either. The portal of the income tax department lists more than 135 million registered users and more than 76 million users have filed income statements during the year 2024-25, according to public data available on the portal itself.
