The Indian government’s tax authority has fixed a critical security flaw in its online income tax filing portal that had been exposing the personal and financial data of millions of taxpayers.
The flaw, discovered in September by security researchers Akshay CS and “Viral”, allowed any logged-in user of the government’s e-Filing portal to access sensitive data belonging to other taxpayers simply by manipulating a few details in the website’s network requests.
The exposed data included full names, home and email addresses, dates of birth, phone numbers, bank account details, and even Aadhaar numbers, the unique government-issued identity numbers used across India for official services.
According to the researchers, the flaw could be exploited by swapping one person’s Permanent Account Number (PAN) with others while logged into the system. This gave access to up-to-date personal and financial information belonging to other users.
“This is an extremely low-hanging thing, but one that has a very severe consequence,” the researchers said
The bug, known as an Insecure Direct Object Reference (IDOR), resulted from the portal’s back-end servers not properly verifying which users were authorized to access certain data. Such vulnerabilities are well-known for being simple to exploit but highly damaging when discovered in large-scale government systems.
The issue also affected companies registered on the e-Filing portal and even individuals who had not yet filed their returns this year.
Related: South Korea Grapples With Surge in Cyberattacks Amid Fragmented Government Response
The researchers immediately reported the issue to CERT-In, India’s national cybersecurity agency, which confirmed the Income Tax Department was working to patch the flaw. The vulnerability was officially fixed by October 2, according to the researchers.
While the Income Tax Department acknowledged receiving media requests for comment, it did not respond to specific questions about the flaw or how long it had existed. Similarly, the Ministry of Finance has not issued a public statement.
It remains unclear whether malicious actors exploited the bug before it was fixed or how many users were affected. However, the Income Tax Department’s portal reportedly has over 135 million registered users, with 76 million filing returns during the 2024–25 financial year.
This incident highlights the ongoing risks of weak security practices in large public systems handling sensitive citizen data. While the flaw has now been resolved, experts say it underscores the urgent need for stronger cybersecurity protocols and regular vulnerability testing across India’s growing digital infrastructure.
