A major security loophole in India’s income tax e-filing portal was caught sending personal and financial data of taxpayers to third-party websites, Indian Express reported, citing two independent researchers who verified the flaw and informed authorities. The bug could be abused by any logged-in user to fetch other people’s — and organizations’ — details with no authorization whatsoever.
The researchers, Akshay CS and “Viral,” said the back end of the portal treated requests for other users’ data by changing a value called the Permanent Account Number (PAN) in a network request packet. The servers failed to validate that the logged-in user had permission to view that record — which is why the portal happily spat back fresh info from another user.
- How the tax portal vulnerability was actually used
- Personal and financial information exposed to risk
- Scale of exposure and the possible impact on users
- Official response and disclosure from authorities
- Why critical systems still fail to prevent IDOR attacks
- Legal and policy stakes for India’s tax platforms
- What should happen next to protect taxpayer data
This class of failure is referred to as an insecure direct object reference (or IDOR), which is a type of broken access control that the OWASP Foundation rates as one of the most prevalent and hazardous web security issues. Especially in systems with regulated data, where a single mistaken check can turn regular queries into a full BL (big leak).
How the tax portal vulnerability was actually used
Logging in with their own credentials, the researchers watched the requests the portal made to obtain profile and filing information. They received the other person’s information by substituting their PAN with any other valid PAN in those requests, and the server returned the other person’s information. There was no two-step check, consent question, or server-side pinning of the session to the right taxpayer required.
The glitch impacted both individual accounts and businesses signed up to file returns. Since PANs are already in hot use within both financial and government services, and often appear in past breach data or paperwork, there wouldn’t be much “guessing” of identifying pieces for an attacker to try abusing a vulnerability like this — a bulky list they found elsewhere would work just fine.
Personal and financial information exposed to risk
Information exposed through the portal included full names, home and email addresses, dates of birth, phone numbers, and bank account details linked to refunds or payments. The researchers also found Aadhaar numbers — the 12-digit personal identifier issued by the Unique Identification Authority of India (UIDAI), which have been required to access a host of services.
This is an invitation to fraud with that combination of identifiers. With PAN, Aadhaar, and contact details, a victim is vulnerable to convincing spear-phishing, targeted refund hijacks, or SIM swaps designed to capture OTPs. Multifactor authentication helps at sign-on, but it does little to remediate authorization issues that leave data susceptible once inside, after a user has been authenticated.
Scale of exposure and the possible impact on users
The income tax portal has more than 135 million registered users. The site’s public counters show that over 76 million returns have been filed in the last year. The researchers did not make any sweeping scrapes, so they don’t know how many users were affected, but the combination of an easy exploit path and a huge user base makes this sort of thing more dangerous.
If not mitigated, an IDOR in a high-traffic governmental website can result in mass-scale automated harvesting of records. However, even short-lived exposures (e.g., for a single data pull by an insider or attacker) can have long-lasting implications due to the fact that PANs and Aadhaar credentials are permanent.
Official response and disclosure from authorities
The researchers notified India’s Computer Emergency Response Team (CERT-In) about the vulnerability. They said they were not given a timeline for the fix. The Income Tax Department confirmed receiving questions on the topic but did not respond to any of them with substantial comments at press time.
Entities covered by CERT-In are required to report cyber incidents within a few hours and take action for mitigation under the Indian cybersecurity organization’s guidelines. The department has not publicly explained if users were alerted or whether any extra monitoring had been set up to watch out for suspicious access of taxpayer records.
Why critical systems still fail to prevent IDOR attacks
IDORs occur when applications use user-controlled identifiers but do not validate that the actions requested and data returned are valid for the user. In larger portals, this is a not uncommon scenario where the front-end checks out but, for some reason, the back-end juggling of services can’t determine that the session is allowed to see a record. Microservice sprawl, legacy code, and inconsistent authorization libraries can all contribute to the gulf.
Industry advice is unequivocal: carry out server-side access controls on all requests; tie sessions to particular accounts; don’t return sensitive fields by default; rate limiting and anomaly detection are also key, and all calls should be logged for object-level access. Regular penetration tests across OWASP Top 10 categories and a vulnerability disclosure policy also mitigate risk.
Legal and policy stakes for India’s tax platforms
The Indian Digital Personal Data Protection Act involves the requirement that organizations implement reasonable security safeguards, which can lead to significant penalties for a failure that causes harm. Public revenue systems tend to be regarded as critical information infrastructure, and therefore have been subject to very strict security controls and constant monitoring of activities.
The inclusion of Aadhaar and bank details increases the stakes for data minimization and masking. UIDAI has always recommended minimizing (masking) use of Aadhaar, even when full disclosure is not necessary, to further limit the damage in case of an access-control breach.
What should happen next to protect taxpayer data
For the portal operator, some immediate next steps should include:
- A full review of object-level authorization on all APIs
- Invalidation of any stale sessions
- Rotation of tokens
- Auditing for prior access to identify potential abuse
Publishing a post-incident report that includes specific technical fixes and timelines builds trust.
“Any taxpayer receiving such messages should not respond or act on the information until they verify authenticity,” says Gupta. Taxpayers should be vigilant if they receive any unsolicited communication with their PAN or Aadhaar, check refund communications, and activate bank and email alerts in their online account to prevent fraudsters from withdrawing money.
In case there are such suspicious activities, please report to the concerned bank as well as to the Income Tax Department.
