India's Income Tax Portal Exposed Taxpayer Data Through Critical Security Flaw

Security researchers Akshay CS and "Viral" discovered a critical flaw in India's income tax e-filing portal that exposed sensitive taxpayer information. The bug was an insecure direct object reference (IDOR) vulnerability that allowed any logged-in user to access other people's data by simply changing a Permanent Account Number (PAN) in network requests. The portal's backend servers failed to properly validate whether users had permission to view specific records, making this exploitation surprisingly simple yet devastating in scope.

The vulnerability affected India's massive tax system, which serves over 135 million registered users and processed 76 million tax returns in the last financial year. Exposed data included full names, home addresses, email addresses, dates of birth, phone numbers, bank account details, and critically - Aadhaar numbers, India's unique 12-digit personal identifier. This combination of information creates significant risks for fraud, identity theft, and targeted phishing attacks, as these identifiers are permanent and used across multiple government and financial services.

The researchers responsibly disclosed the vulnerability to India's Computer Emergency Response Team (CERT-In) shortly after discovery in September 2025. CERT-In confirmed the issue was being addressed, though no specific timeline was initially provided. TechCrunch verified the bug's existence and confirmed with researchers that it was fixed by October 2, 2025. The Income Tax Department acknowledged receiving inquiries about the vulnerability but provided limited public comment about the incident or any user notification measures.

This incident highlights persistent challenges in securing critical government infrastructure, particularly as IDOR vulnerabilities are well-documented and preventable through proper access controls. The breach raises questions about compliance with India's Digital Personal Data Protection Act and the adequacy of security measures for systems handling sensitive financial data. Industry experts emphasize that such vulnerabilities in tax systems - which store permanent identifiers like PANs and Aadhaar numbers - can have long-lasting consequences even after being patched, as the exposed data cannot be easily changed or revoked.