Security bug in India’s income tax portal exposed taxpayers’ sensitive data

The Indian government’s taxation authorization has fixed a information flaw successful its income taxation filing portal that was exposing delicate taxpayers’ data, TechCrunch has exclusively learned and confirmed with authorities.

The flaw, discovered successful September by a brace of information researchers Akshay CS and “Viral,” allowed anyone who was logged into the income taxation department’s e-Filing portal to entree up-to-date idiosyncratic and fiscal information of different people.

The exposed information included afloat names, location addresses and email addresses, dates of birth, telephone numbers, and slope relationship details of radical who wage taxes connected their income successful India. The information besides exposed citizens’ Aadhaar number, a unsocial government-issued identifier utilized arsenic impervious of individuality and for accessing authorities services.

TechCrunch verified the information to the champion of its quality by granting support to the researchers to look up this reporter’s records connected the portal.

The information researchers confirmed to TechCrunch connected October 2 that the vulnerability was fixed. Given the hazard to the public, TechCrunch withheld publishing this communicative until the information researchers confirmed that the vulnerability tin nary longer beryllium exploited.

Representatives for the Indian Income Tax Department acknowledged our email requesting comment, but did not reply our questions by property time. The Income Tax Department did not contiguous immoderate objections to our publishing this story.

‘Extremely debased hanging’ bug granted entree to delicate data

The information researchers Akshay CS and “Viral” told TechCrunch that they discovered the vulnerability portion filing their caller income taxation instrumentality connected the authorities website.

Residents of India are required to record their yearly net to cipher the taxes they beryllium to the Indian government.

The researchers recovered that erstwhile they signed into the portal utilizing their Permanent Account Number (PAN), an authoritative papers issued by the Indian income taxation department, they could presumption anyone else’s delicate fiscal information by swapping retired their PAN for different PAN successful the web petition arsenic the web leafage loads.

This could beryllium done utilizing publically disposable tools similar Postman oregon Burp Suite (or utilizing the web browser’s in-built developer tools) and with cognition of idiosyncratic else’s PAN, the researchers told TechCrunch.

The bug was exploitable by anyone who was logged-in to the taxation portal due to the fact that the Indian income taxation department’s back-end servers were not decently checking who was allowed to entree a person’s delicate data. This people of vulnerability is known arsenic an insecure nonstop entity reference, oregon IDOR, a communal and elemental flaw that governments person warned is casual to exploit and tin effect successful large-scale information breaches.

“This is an highly debased hanging thing, but 1 that has a precise terrible consequence,” the researchers told TechCrunch.

In summation to the information of individuals, the researchers said that the bug besides exposed information associated with companies who were registered with the e-Filing portal.

TechCrunch besides verified that the bug exposed information connected individuals who person yet to record their income taxation returns this year. We confirmed this by asking a idiosyncratic who had not yet filed their taxation returns for their support to person the researchers look up their accusation utilizing the portal bug.

CERT-In acknowledges information flaw

The information researchers alerted India’s machine exigency readiness team, oregon CERT-In, to the information flaw soon aft their discovery, but were not provided with a timeline for the fix.

When contacted by TechCrunch connected September 30, a CERT-In typical said the Income Tax Department was already moving to hole the vulnerability.

The Indian Ministry of Finance did not instrumentality TechCrunch’s petition for comment. After reaching retired to the Income Tax Department regarding the vulnerability, the Director General of Systems acknowledged receipt of TechCrunch’s email connected October 1, but did not remark further.

It remains unclear however agelong the vulnerability has existed oregon whether immoderate malicious actors person accessed the exposed data. CERT-In did not respond to these questions erstwhile asked by TechCrunch.

The nonstop fig of users impacted by the exposed information is besides unclear. The Income Tax Department’s portal lists much than 135 cardinal registered users, and implicit 76 cardinal users filed income taxation returns successful the fiscal twelvemonth 2024-25, per public data disposable connected the portal itself.