The Indian government has successfully patched a critical security vulnerability within its income tax e-Filing portal. The flaw, which was identified in September by security researchers Akshay CS and a researcher identified as “Viral,” exposed highly sensitive personal and financial records of millions of taxpayers.
Extent of the Data Exposure
The vulnerability allowed any authenticated user on the portal to access the private information of other taxpayers. Compromised data included full names, residential addresses, email contacts, dates of birth, phone numbers, and banking details. Furthermore, the breach exposed the Aadhaar number—a critical government-issued biometric identifier used for identity verification and access to essential state services.
The risk extended beyond individual taxpayers to include companies registered on the e-Filing platform. Investigations confirmed that the bug was exploitable even for individuals who had not yet submitted their tax returns for the current financial year.
The Mechanics of the IDOR Vulnerability
The researchers discovered the flaw while filing their own tax returns. The issue stemmed from an Insecure Direct Object Reference (IDOR) vulnerability. By simply swapping a Permanent Account Number (PAN) within the network request during the page load, a logged-in user could bypass authorization checks and view another taxpayer’s records.
This exploitation required only standard tools, such as Burp Suite, Postman, or basic browser developer tools. The researchers described the flaw as an “extremely low-hanging” security oversight, noting that the portal’s back-end servers failed to verify whether the authenticated user had the appropriate permissions to access the requested data.
Response and Current Status
The researchers reported the vulnerability to CERT-In (Computer Emergency Readiness Team) shortly after its discovery. While they were not initially provided with a clear timeline for remediation, CERT-In confirmed on September 30 that the Income Tax Department was actively working on a fix.
On October 2, the researchers verified that the vulnerability had been successfully resolved. Representatives from the Indian Income Tax Department acknowledged receipt of inquiries regarding the incident but declined to provide additional commentary. Consequently, it remains unknown whether malicious actors exploited this flaw prior to its discovery or the total number of individuals whose data may have been accessed.
Official records indicate the portal serves more than 135 million registered users, with over 76 million returns filed during the 2024-25 financial year, as noted in public data provided by the department.