A major security flaw in India’s income tax filing portal recently exposed sensitive personal and financial data of taxpayers. The issue was discovered by two independent security researchers and has now been fixed by the government’s tax department.
According to a report by TechCrunch, the vulnerability allowed any logged-in user on the e-Filing portal to view private details of other taxpayers. This included full names, home addresses, email addresses, phone numbers, bank account details, dates of birth, and even Aadhaar numbers, which are unique government-issued identifiers used for verification and access to various services in India.
Security researchers “Akshay CS” and “Viral” found the flaw in September while filing their own income tax returns. They noticed that by simply changing a Permanent Account Number (PAN) in a network request, they could access personal and financial data belonging to other users.
This vulnerability is called Insecure Direct Object Reference (IDOR), a common but serious web security flaw. It happens when an application does not properly verify whether the logged-in user has permission to access a specific set of data.
The researchers said the flaw could easily be exploited using common tools like Postman or Burp Suite, or even the browser’s built-in developer tools. Anyone with basic technical knowledge and access to a PAN number could potentially view someone else’s tax details.
The flaw was officially fixed by October 2, after the researchers alerted the Indian Computer Emergency Response Team (CERT-In), which oversees cybersecurity incidents in the country.
The Indian income tax portal has over 135 million registered users, and more than 76 million people filed their income tax returns for the financial year 2024–25. This means that a large number of taxpayers could have been at risk while the flaw was active.
