Critical vulnerability allowed logged-in users to access others’ financial and identity details, including Aadhaar and bank information, until patched in early October
Sensitive Taxpayer Data Exposed via Simple Exploit
A major security flaw in India’s income tax e-Filing portal left millions of taxpayers vulnerable to data exposure, TechCrunch has learned. The bug allowed any logged-in user to access highly sensitive personal and financial information of other users — including names, Aadhaar numbers, contact details, and bank account data — simply by swapping out identification details in a network request.
- The vulnerability was discovered in September 2025 by Indian security researchers Akshay CS and “Viral.”
- TechCrunch independently verified the flaw’s existence and confirmed it was fixed on October 2.
- The issue remained unresolved for weeks despite early reporting to CERT-In, India’s cybersecurity agency.
What the Bug Exposed
Using simple tools like Postman, Burp Suite, or browser developer tools, logged-in users could exploit what’s known as an IDOR (Insecure Direct Object Reference) vulnerability:
- By swapping their Permanent Account Number (PAN) with someone else’s in the web request, they could retrieve that person’s full tax profile.
- Data included:
- Full names
- Addresses
- Phone numbers and emails
- Date of birth
- Bank account details
- Aadhaar numbers (India’s national identity system)
- The flaw also exposed company information and data of users who had not yet filed their tax returns.
“This is an extremely low-hanging thing, but one that has a very severe consequence,” the researchers said.
135 Million Registered Users Potentially Affected
India’s tax portal boasts 135+ million registered users and over 76 million tax returns filed in the current financial year alone. While it remains unclear how long the vulnerability existed or whether it was exploited, the scale of exposure is significant.
- Neither the Indian Ministry of Finance nor the Income Tax Department has disclosed how long the flaw persisted.
- No confirmation has been provided on whether the exposed data was accessed by malicious actors.
Government Agencies Acknowledged, But Did Not Comment
Upon discovering the flaw, the researchers immediately alerted CERT-In, India’s Computer Emergency Response Team. While CERT-In acknowledged the vulnerability, it provided no clear timeline for remediation.
- TechCrunch reached out to both the Income Tax Department and Ministry of Finance for comment.
- The Director General of Systems at the tax department acknowledged receipt of TechCrunch’s email but offered no further comment.
This raises fresh concerns over how Indian government agencies respond to responsible vulnerability disclosures, especially those involving critical infrastructure and citizen data.
A Preventable, Common Vulnerability
The bug falls under a well-known security category — IDOR — which has been flagged by OWASP and other cybersecurity bodies as easy to fix but often overlooked.
- IDOR vulnerabilities can often be prevented with proper authorization checks on the backend.
- That this flaw existed in a portal used by millions of citizens to submit sensitive financial and identity data reflects a significant failure in secure development practices.
What’s Next: Transparency, Accountability, and Audits Needed
This incident underscores the urgent need for transparency and stronger data protection protocols in India’s public digital infrastructure:
- Users deserve to know whether their data was accessed or misused.
- Government bodies should establish clear, public timelines for fixing and disclosing vulnerabilities.
- Regular independent audits of platforms that collect or process sensitive citizen data must become standard.
As more of India’s civic and financial life moves online, security cannot be an afterthought.
