Income Tax Portal develops Security Flaw Exposes Millions’ Data

A critical vulnerability in the Indian Income Tax Department’s e-Filing portal recently exposed sensitive personal and financial data of taxpayers, according to security researchers. The flaw, now patched, allowed logged-in users to access private information of other taxpayers by manipulating network requests.

How Was the Flaw Discovered?

Security researchers Akshay CS and "Viral" uncovered the issue in September while filing their own returns. They discovered that by simply replacing their Permanent Account Number (PAN) with another PAN in the portal's network requests, they could access other users’ data—without authorization.

The flaw exposed full names, addresses, email IDs, phone numbers, Aadhaar numbers, and bank account details. Alarmingly, the bug also compromised data linked to businesses registered on the portal and individuals who hadn’t filed their returns yet.

This type of flaw is known as an Insecure Direct Object Reference (IDOR)—a common but dangerous vulnerability where the backend fails to verify whether a user is authorized to access certain data. Using standard tools like Postman, Burp Suite, or browser developer tools, any logged-in user with knowledge of another person’s PAN could potentially exploit this weakness.

Likely Reason Behind the System Vulnerability 

A question arises ,what is the cause of, Insecure Direct Object Reference (IDOR)” Experts says, it has occurred because the backend systems failed to properly verify user permissions, making it easy to access unauthorized records via browser tools. The exposure included individuals who hadn’t yet filed tax returns for the current year. 

The researchers promptly alerted CERT-In, India’s cybersecurity agency. While CERT-In didn’t provide a public timeline, a representative confirmed that the Income Tax Department began working on a fix by September 30, and the issue was resolved by October 2.

Despite the fix, key questions remain unanswered—how long the flaw existed, whether it was exploited, and how many users were affected. The portal has over 135 million registered users, with 76 million filing returns in the 2024–25 financial year, indicating a potentially massive exposure.

The Income Tax Department has yet to issue an official statement, but the incident raises serious concerns about data security, user trust, and the need for stricter access controls in critical government platforms.