The Tax Authorities of the Indian Government has established a security error in its income tax application portal that revealed the data from sensitive taxpayers, TechCrunch has learned and confirmed with authorities exclusively.
The error, discovered in September by a few security researchers Akshay CS and ‘Viral’, allows everyone who is registered with the The E-Filing Portal of the Income Tax Department To access up-to-date personal and financial data from other people.
The exposed data include full names, home addresses and e -mail addresses, birth dates, telephone numbers and bank account details of people who pay tax on their income in India. The data has also uncovered the Aadhaar number of the citizens, a unique identification issued by the government that is used as proof of identity and for access to government services.
Techcrunch verified the data as well as possible by giving permission to the researchers to visit the data of this reporter on the portal.
The security researchers confirmed to Techcrunch on 2 October that the vulnerability was resolved. Given the risk for the public, Techcrunch published this story until the security researchers confirmed that vulnerability can no longer be used.
Representatives of the Indian income tax department recognized our e -mail to ask for comments, but did not answer our questions per press. The income tax department has not presented any objections to our publication of this story.
‘Extremely low hanging’ bug granted access to sensitive data
The security researchers Akshay CS and “Viral” told Techcrunch that they discovered vulnerability while submitting their recent return on income tax on the government website.
Residents of India are obliged to submit their annual income to calculate the taxes they owe to the Indian government.
The researchers discovered that when they had registered with the portal using their permanent account number (PAN), an official document issued by the Indian income tax department, they could view someone else’s sensitive financial data by changing their pan for another pan in the network request while the webpage is loading.
This can be done with the help of publicly available tools such as Postman or Burp Suite (or the use of the built -in developer tools of the web browser) and with knowledge of someone else’s pan, the researchers told Techcrunch.
The bug was exploited by anyone who is logged in to the tax portal because the back-end servers of the Indian income tax did not properly check who gained access to the sensitive data of a person. This class of vulnerability is known as an uncertain direct object reference, or IDOR, a common and simple error that governments have warned, is easy to operate and can lead to large -scale data breaches.
“This is an extremely low -pending case, but one that has a very serious consequence,” the researchers told Techcrunch.
In addition to the data of individuals, the researchers said that the bug also exposed data that was related to companies that were registered with the E-Lassing Portal.
Techcrunch has also verified that the bug data on persons who have not yet had to submit their income tax returns this year have submitted. We confirmed this by asking a person who had not yet submitted a tax return for their permission to have the researchers look up their information using the Portal -Bug.
Cert-in recognizes security error
The security researchers warned the computer Emergency Readiness team of India, or Cert-In, shortly after their discovery for the security error, but did not receive a timeline for the solution.
When he was contacted by Techcrunch on 30 September, a Cert-in representative said that the Income Tax Department was already working to remedy the vulnerability.
The Indian Ministry of Finance has not returned Techcrunch’s request to comment. After contacting the income tax department with regard to vulnerability, the director -general of Systems acknowledged the receipt of the Techcrunch E -mail on 1 October, but did not comment.
It remains unclear how long the vulnerability has existed or that malicious actors have access to the exposed data. Cert-in did not respond to these questions when asked by Techcrunch.
The exact number of users that are influenced by the exposed data is also unclear. The portal of the income tax department gives more than 135 million registered users and more than 76 million users have submitted income tax reports in the financial year 2024-25, per public data Available on the portal itself.
#Exclusive #BUG #Income #Tax #Portal #India #uncovered #sensitive #data #taxpayers