Security bug in India’s income tax portal exposed taxpayers’ sensitive data

The Indian government’s tax authority has fixed a security flaw in its income tax filing portal that was exposing sensitive taxpayers’ data, TechCrunch has exclusively learned and confirmed with authorities.

The flaw, discovered in September by a pair of security researchers Akshay CS and “Viral,” allowed anyone who was logged into the income tax department’s e-Filing portal^[1] to access up-to-date personal and financial data of other people.

The exposed data included full names, home addresses and email addresses, dates of birth, phone numbers, and bank account details of people who pay taxes on their income in India. The data also exposed citizens’ Aadhaar number, a unique government-issued identifier used as proof of identity and for accessing government services.

TechCrunch verified the data to the best of its ability by granting permission to the researchers to look up this reporter’s records on the portal.

The security researchers confirmed to TechCrunch on October 2 that the vulnerability was fixed. Given the risk to the public, TechCrunch withheld publishing this story until the security researchers confirmed that the vulnerability can no longer be exploited.

Representatives for the Indian Income Tax Department acknowledged our email requesting comment, but did not answer our questions by press time. The Income Tax Department did not present any objections to our publishing this story.

‘Extremely low hanging’ bug granted access to sensitive data

The security researchers Akshay CS and “Viral” told TechCrunch that they discovered the vulnerability while filing their recent income tax return on the government website.

Residents of India are required to file their annual earnings to calculate the taxes they owe to the Indian government.

The researchers found that when they signed into the portal using their Permanent Account Number (PAN), an official document issued by the Indian income tax department, they could view anyone else’s sensitive financial data by swapping out their PAN for another PAN in the network request as the web page loads.

This could be done using publicly available tools like Postman or Burp Suite^[2] (or using the web browser’s in-built developer tools) and with knowledge of someone else’s PAN, the researchers told TechCrunch.

The bug was exploitable by anyone who was logged-in to the tax portal because the Indian income tax department’s back-end servers were not properly checking who was allowed to access a person’s sensitive data. This class of vulnerability is known as an insecure direct object reference, or IDOR, a common and simple flaw that governments have warned is easy to exploit^[3] and can result in large-scale data breaches.

“This is an extremely low hanging thing, but one that has a very severe consequence,” the researchers told TechCrunch.

In addition to the data of individuals, the researchers said that the bug also exposed data associated with companies who were registered with the e-Filing portal.

TechCrunch also verified that the bug exposed data on individuals who have yet to file their income tax returns this year. We confirmed this by asking a person who had not yet filed their tax returns for their permission to have the researchers look up their information using the portal bug.

CERT-In acknowledges security flaw

The security researchers alerted India’s computer emergency readiness team, or CERT-In, to the security flaw soon after their discovery, but were not provided with a timeline for the fix.

When contacted by TechCrunch on September 30, a CERT-In representative said the Income Tax Department was already working to fix the vulnerability.

The Indian Ministry of Finance did not return TechCrunch’s request for comment. After reaching out to the Income Tax Department regarding the vulnerability, the Director General of Systems acknowledged receipt of TechCrunch’s email on October 1, but did not comment further.

It remains unclear how long the vulnerability has existed or whether any malicious actors have accessed the exposed data. CERT-In did not respond to these questions when asked by TechCrunch.

The exact number of users impacted by the exposed data is also unclear. The Income Tax Department’s portal lists more than 135 million registered users, and over 76 million users filed income tax returns in the financial year 2024-25, per public data^[4] available on the portal itself.