The Indian government’s tax authority has fixed a security flaw in its income tax filing portal that was exposing sensitive taxpayer data. This issue was discovered in September by a pair of security researchers, Akshay CS and “Viral.”
The flaw allowed anyone logged into the Income Tax Department’s e-Filing portal to access the current personal and financial data of other individuals. The exposed information included full names, home addresses, email addresses, dates of birth, phone numbers, and bank account details of people who pay income tax in India. The data also included citizens’ Aadhaar numbers, which are unique government-issued identifiers used as proof of identity for accessing public services.
The security researchers confirmed on October 2 that the vulnerability was fixed. Given the potential risk to the public, the publication of this story was delayed until the researchers confirmed the flaw could no longer be exploited.
The security researchers explained they discovered the vulnerability while filing their own income tax returns on the government website. They found that after signing into the portal using their Permanent Account Number, or PAN, they could view anyone else’s sensitive financial data by substituting their own PAN with another person’s PAN in the network request as the web page loaded. This could be accomplished using publicly available tools or a web browser’s built-in developer tools, provided the user had knowledge of another individual’s PAN.
This bug was exploitable by anyone logged into the tax portal because the back-end servers were not properly verifying who was permitted to access a person’s sensitive data. This type of security flaw is known as an insecure direct object reference, or IDOR. It is a common and simple vulnerability that governments have warned is easy to exploit and can lead to large-scale data breaches. The researchers described it as an extremely simple issue to find but one with very severe consequences.
In addition to individual data, the bug also exposed information associated with companies registered on the e-Filing portal. The flaw also exposed data belonging to individuals who had not yet filed their income tax returns for the year.
The security researchers alerted India’s computer emergency readiness team, CERT-In, to the flaw soon after its discovery but were not given a timeline for a fix. When contacted on September 30, a CERT-In representative stated the Income Tax Department was already working on resolving the vulnerability.
The Indian Ministry of Finance did not return a request for comment. After being contacted about the issue, the Director General of Systems acknowledged receipt of an email on October 1 but provided no further comment.
It remains unclear how long the vulnerability existed or if any malicious actors accessed the exposed data. CERT-In did not respond to these questions. The exact number of impacted users is also unknown. The Income Tax Department’s portal lists more than 135 million registered users, and public data shows over 76 million users filed income tax returns in the 2024-25 financial year.