Indian Tax Department Fixes Major Security Flaw Exposing Sensitive Taxpayer Data

The Indian government’s Income Tax Department has patched a critical security vulnerability in its official e-Filing portal that had been exposing sensitive personal and financial data of taxpayers across the country.

The flaw, discovered in September, allowed any logged-in user on the tax portal to access up-to-date personal information of other individuals by manipulating network requests. Exposed data included full names, home addresses, dates of birth, email addresses, phone numbers, bank account details, and Aadhaar numbers — the unique national ID used for identity verification and government services.

Security researchers who uncovered the issue described it as an “extremely low-hanging” bug with severe consequences. By logging in with their Permanent Account Number (PAN) and altering the PAN value in the network request, users could view private financial data of others. This could be achieved using common tools such as Postman, Burp Suite, or even a browser’s built-in developer tools.

Experts identified the flaw as an Insecure Direct Object Reference (IDOR) — a simple yet high-impact vulnerability resulting from improper access controls on the backend servers. Such flaws can be easily exploited and are known to cause large-scale data breaches if left unaddressed.

The issue reportedly exposed not only individuals’ information but also data belonging to registered companies on the portal.

India’s Computer Emergency Response Team (CERT-In) was notified soon after the flaw’s discovery. A CERT-In representative later confirmed that the Income Tax Department had begun working on a fix.