The Indian government's tax authorities have fixed a security flaw in the income tax return portal, which publishes sensitive taxpayer data.
The flaw, discovered by security researchers Akshay CS and “Viral” in September, allowed anyone logged in to the Income Tax Bureau's electronic filing portal to access other people's latest personal and financial data.
The exposed data included the names, home addresses and email addresses, date of birth, phone numbers and bank account details of those paying taxes on their Indian income. The data also exposed citizens' Aadhaar numbers. This is a unique government-issued identifier used as proof of identity and used to access government services.
TechCrunch confirmed the data to the fullest extent of its capabilities by granting researchers permission to search the reporter's records on the portal.
Security researchers confirmed that the vulnerability was fixed in TechCrunch on October 2nd. Given the risks to the public, TechCrunch has refrained from publishing the story until security researchers have confirmed that the vulnerability can no longer be exploited.
Representatives from India's Income Tax Agency have confirmed the email requesting comment but did not respond to questions per reporting time. The Income Tax Bureau did not object to the publication of this story.
“Very Low” bug allowed access to sensitive data
Security researchers Akshay CS and Viral told TechCrunch they discovered the vulnerability while filing a recent income tax return on the government website.
Indian residents must submit annual revenues to calculate the taxes owed to the Indian government.
When the researchers signed the portal using the official document Permanent Account Number (PAN), issued by the Income Tax Division of India, they discovered that by swapping another PAN in the network request for pan when the web page loads, they could see the delicate financial data of others.
This can be done using publicly available tools such as Postman or Burp Suite (or using built-in developer tools in a web browser).
The Indian Income Tax Agency's backend servers did not properly check those who were allowed to access people's sensitive data, so the bug could be exploited by people logged in to the tax portal. This class of vulnerabilities is known as unstable direct object references as a common, simple flaw that the government warns is easy and can lead to massive data breaches.
“It's very low, but it has very serious consequences,” the researcher told TechCrunch.
In addition to personal data, researchers said they also published data relating to companies whose bugs were registered in the e-filing portal.
TechCrunch also confirmed that the bug has released data on individuals who have not yet filed their income tax returns this year. This was confirmed by asking people who have not yet filed their tax returns, asking for permission to use the portal bug to let researchers look into the information.
CERTIN acknowledges security flaws
Security researchers warned the Indian Computer Emergency Preparedness Team (Certificate) of security flaws immediately after discovery, but no timeline for fixes was provided.
When contacted by TechCrunch on September 30, a representative from Cert-In said the Income Tax Bureau was already working to fix the vulnerability.
India's Treasury did not reply to TechCrunch's request for comment. After reaching out to the Income Tax Agency regarding the vulnerability, the Systems Director confirmed the receipt of TechCrunch emails on October 1, but did not comment further.
It remains unclear how many vulnerabilities exist and whether malicious parties have access to exposed data. Cert-in did not respond to these questions when asked by TechCrunch.
The exact number of users affected by published data is also unknown. The Income Tax Bureau portal lists over 135 million registered users, and over 76 million users filed income tax returns for fiscal year 2024-25 for each publicly available data available on the portal itself.