Government Resolves Major Flaw in Income Tax Portal, Averts Potential Data Leak
A significant risk of data leakage was recently averted as the Indian government addressed a critical security vulnerability in its income tax e-filing portal. This issue had put sensitive taxpayer information at risk, exposing personal and financial data across the country. Fortunately, authorities have now implemented the necessary fixes.
The security flaw was uncovered by two researchers, Akshay CS and “Viral,” while they were filing their tax returns in September. They realized that it was possible for a user logged into the income tax portal to access information belonging to other users. The compromised data included individuals’ names, addresses, phone numbers, email addresses, dates of birth, bank details, and even Aadhaar numbers, which could have led to serious misuse if exploited.
The researchers explained to TechCrunch, “This is an extremely low-hanging thing, but one that has a very severe consequence.” The vulnerability, categorized as an IDOR (insecure direct object reference), stemmed from the system’s failure to check whether a logged-in user was authorized to view specific data. Essentially, an individual could manipulate a network request using another person’s Permanent Account Number (PAN) to access their private information.
The flaw impacted both individual taxpayers and businesses registered on the government tax portal. Notably, it even enabled access to data from users who had not yet submitted their tax returns for the ongoing financial year.
After discovering the issue, the researchers notified the Indian Computer Emergency Response Team (CERT-In), who acknowledged the report and forwarded it to the Income Tax Department for remediation. By early October, the researchers confirmed that the flaw had been effectively addressed, and the vulnerability was no longer exploitable.
While the Income Tax Department did not provide a comprehensive public statement, it acknowledged having received reports about the issue. The Ministry of Finance also refrained from commenting in response to media inquiries. It remains unclear how long this vulnerability had persisted or if any data misuse occurred prior to its resolution.
With over 135 million registered users, the income tax portal serves a vast number of individuals, 76 million of whom filed returns during the 2024–25 financial year. Given the portal’s extensive user base, this vulnerability could have posed a significant threat had it come into the wrong hands.
