Security Bug In India’s Income Tax Portal Exposed Taxpayers’ Sensitive Data

The Indian government’s taxation authority has fixed a information flaw successful its income taxation filing portal that was exposing delicate taxpayers’ data, TechCrunch has exclusively learned and confirmed pinch authorities.

The flaw, discovered successful September by a brace of information researchers Akshay CS and “Viral,” allowed anyone who was logged into nan income taxation department’s e-Filing portal to entree up-to-date individual and financial information of different people.

The exposed information included afloat names, location addresses and email addresses, dates of birth, telephone numbers, and slope relationship specifications of group who salary taxes connected their income successful India. The information besides exposed citizens’ Aadhaar number, a unsocial government-issued identifier utilized arsenic impervious of personality and for accessing authorities services.

TechCrunch verified nan information to nan champion of its expertise by granting support to nan researchers to look up this reporter’s records connected nan portal.

The information researchers confirmed to TechCrunch connected October 2 that nan vulnerability was fixed. Given nan consequence to nan public, TechCrunch withheld publishing this communicative until nan information researchers confirmed that nan vulnerability tin nary longer beryllium exploited.

Representatives for nan Indian Income Tax Department acknowledged our email requesting comment, but did not reply our questions by property time. The Income Tax Department did not coming immoderate objections to our publishing this story.

‘Extremely debased hanging’ bug granted entree to delicate data

The information researchers Akshay CS and “Viral” told TechCrunch that they discovered nan vulnerability while filing their caller income taxation return connected nan authorities website.

Residents of India are required to record their yearly net to cipher nan taxes they beryllium to nan Indian government.

The researchers recovered that erstwhile they signed into nan portal utilizing their Permanent Account Number (PAN), an charismatic archive issued by nan Indian income taxation department, they could position anyone else’s delicate financial information by swapping retired their PAN for different PAN successful nan web petition arsenic nan web page loads.

This could beryllium done utilizing publically disposable devices for illustration Postman aliases Burp Suite (or utilizing nan web browser’s in-built developer tools) and pinch knowledge of personification else’s PAN, nan researchers told TechCrunch.

The bug was exploitable by anyone who was logged-in to nan taxation portal because nan Indian income taxation department’s back-end servers were not decently checking who was allowed to entree a person’s delicate data. This people of vulnerability is known arsenic an insecure nonstop entity reference, aliases IDOR, a communal and elemental flaw that governments person warned is easy to exploit and tin consequence successful large-scale information breaches.

“This is an highly debased hanging thing, but 1 that has a very terrible consequence,” nan researchers told TechCrunch.

In summation to nan information of individuals, nan researchers said that nan bug besides exposed information associated pinch companies who were registered pinch nan e-Filing portal.

TechCrunch besides verified that nan bug exposed information connected individuals who person yet to record their income taxation returns this year. We confirmed this by asking a personification who had not yet revenge their taxation returns for their support to person nan researchers look up their accusation utilizing nan portal bug.

CERT-In acknowledges information flaw

The information researchers alerted India’s machine emergency readiness team, aliases CERT-In, to nan information flaw soon aft their discovery, but were not provided pinch a timeline for nan fix.

When contacted by TechCrunch connected September 30, a CERT-In typical said nan Income Tax Department was already moving to hole nan vulnerability.

The Indian Ministry of Finance did not return TechCrunch’s petition for comment. After reaching retired to nan Income Tax Department regarding nan vulnerability, nan Director General of Systems acknowledged receipt of TechCrunch’s email connected October 1, but did not remark further.

It remains unclear really agelong nan vulnerability has existed aliases whether immoderate malicious actors person accessed nan exposed data. CERT-In did not respond to these questions erstwhile asked by TechCrunch.

The nonstop number of users impacted by nan exposed information is besides unclear. The Income Tax Department’s portal lists much than 135 cardinal registered users, and complete 76 cardinal users revenge income taxation returns successful nan financial twelvemonth 2024-25, per public data disposable connected nan portal itself.