India Tax Portal Bug Leaked Sensitive Taxpayer Data

Bill Thompson
By Bill Thompson
Technology
8 Min Read

A major security loophole in India’s income tax e-filing portal was caught sending personal and financial data of taxpayers to third-party websites, Indian Express reported, citing two independent researchers who verified the flaw and informed authorities. The bug could be abused by any logged-in user to fetch other people’s — and organizations’ — details with no authorization whatsoever.

The researchers, Akshay CS and “Viral,” said the back end of the portal treated requests for other users’ data by changing a value called the Permanent Account Number (PAN) in a network request packet. The servers failed to validate that the logged-in user had permission to view that record — which is why the portal happily spat back fresh info from another user.

Table of Contents
India Income Tax portal bug exposing taxpayer data in security breach

This class of failure is referred to as an insecure direct object reference (or IDOR), which is a type of broken access control that the OWASP Foundation rates as one of the most prevalent and hazardous web security issues. Especially in systems with regulated data, where a single mistaken check can turn regular queries into a full BL (big leak).

How the tax portal vulnerability was actually used

Logging in with their own credentials, the researchers watched the requests the portal made to obtain profile and filing information. They received the other person’s information by substituting their PAN with any other valid PAN in those requests, and the server returned the other person’s information. There was no two-step check, consent question, or server-side pinning of the session to the right taxpayer required.

The glitch impacted both individual accounts and businesses signed up to file returns. Since PANs are already in hot use within both financial and government services, and often appear in past breach data or paperwork, there wouldn’t be much “guessing” of identifying pieces for an attacker to try abusing a vulnerability like this — a bulky list they found elsewhere would work just fine.

Personal and financial information exposed to risk

Information exposed through the portal included full names, home and email addresses, dates of birth, phone numbers, and bank account details linked to refunds or payments. The researchers also found Aadhaar numbers — the 12-digit personal identifier issued by the Unique Identification Authority of India (UIDAI), which have been required to access a host of services.

This is an invitation to fraud with that combination of identifiers. With PAN, Aadhaar, and contact details, a victim is vulnerable to convincing spear-phishing, targeted refund hijacks, or SIM swaps designed to capture OTPs. Multifactor authentication helps at sign-on, but it does little to remediate authorization issues that leave data susceptible once inside, after a user has been authenticated.

Scale of exposure and the possible impact on users

The income tax portal has more than 135 million registered users. The site’s public counters show that over 76 million returns have been filed in the last year. The researchers did not make any sweeping scrapes, so they don’t know how many users were affected, but the combination of an easy exploit path and a huge user base makes this sort of thing more dangerous.

If not mitigated, an IDOR in a high-traffic governmental website can result in mass-scale automated harvesting of records. However, even short-lived exposures (e.g., for a single data pull by an insider or attacker) can have long-lasting implications due to the fact that PANs and Aadhaar credentials are permanent.

Official response and disclosure from authorities

The researchers notified India’s Computer Emergency Response Team (CERT-In) about the vulnerability. They said they were not given a timeline for the fix. The Income Tax Department confirmed receiving questions on the topic but did not respond to any of them with substantial comments at press time.

India tax portal bug leaked sensitive taxpayer data in a data breach

Entities covered by CERT-In are required to report cyber incidents within a few hours and take action for mitigation under the Indian cybersecurity organization’s guidelines. The department has not publicly explained if users were alerted or whether any extra monitoring had been set up to watch out for suspicious access of taxpayer records.

Why critical systems still fail to prevent IDOR attacks

IDORs occur when applications use user-controlled identifiers but do not validate that the actions requested and data returned are valid for the user. In larger portals, this is a not uncommon scenario where the front-end checks out but, for some reason, the back-end juggling of services can’t determine that the session is allowed to see a record. Microservice sprawl, legacy code, and inconsistent authorization libraries can all contribute to the gulf.

Industry advice is unequivocal: carry out server-side access controls on all requests; tie sessions to particular accounts; don’t return sensitive fields by default; rate limiting and anomaly detection are also key, and all calls should be logged for object-level access. Regular penetration tests across OWASP Top 10 categories and a vulnerability disclosure policy also mitigate risk.

The Indian Digital Personal Data Protection Act involves the requirement that organizations implement reasonable security safeguards, which can lead to significant penalties for a failure that causes harm. Public revenue systems tend to be regarded as critical information infrastructure, and therefore have been subject to very strict security controls and constant monitoring of activities.

The inclusion of Aadhaar and bank details increases the stakes for data minimization and masking. UIDAI has always recommended minimizing (masking) use of Aadhaar, even when full disclosure is not necessary, to further limit the damage in case of an access-control breach.

What should happen next to protect taxpayer data

For the portal operator, some immediate next steps should include:

  • A full review of object-level authorization on all APIs
  • Invalidation of any stale sessions
  • Rotation of tokens
  • Auditing for prior access to identify potential abuse

Publishing a post-incident report that includes specific technical fixes and timelines builds trust.

“Any taxpayer receiving such messages should not respond or act on the information until they verify authenticity,” says Gupta. Taxpayers should be vigilant if they receive any unsolicited communication with their PAN or Aadhaar, check refund communications, and activate bank and email alerts in their online account to prevent fraudsters from withdrawing money.

In case there are such suspicious activities, please report to the concerned bank as well as to the Income Tax Department.

Bill Thompson
ByBill Thompson
Bill Thompson is a veteran technology columnist and digital culture analyst with decades of experience reporting on the intersection of media, society, and the internet. His commentary has been featured across major publications and global broadcasters. Known for exploring the social impact of digital transformation, Bill writes with a focus on ethics, innovation, and the future of information.
Latest News