The Indian Government’s tax authority has set a security defect at the income tax gate that exposes the data of sensitive taxpayers, TechCrunch has learned and confirms exclusively and confirms the authorities.
The defect, discovered in September by a pair of Akshay CS security researchers and “viral”, allowed anyone who had been connected to the Electronic collapse Portal of Income Tax Department to access to other people’s personal and financial data.
Exposed data included full names, home addresses, email addresses, birth dates, phone numbers and bank account details for people paying taxes for their income in India. The data also exposed the Citizens’ Aadhaar number, a unique government -recognized as proof of identity and for access to government agencies.
TechCrunch has verified the data in the best possible way, giving researchers permission to search for this journalist’s records at the gate.
Security researchers confirmed TechCrunch on October 2 that the vulnerability was stable. Given the danger to the public, TechCrunch has ruled to publish this story until security researchers confirmed that vulnerability could no longer exploit.
Representatives for the India Income Tax Department recognized our email asking for comments, but did not answer our questions from the press time. The Income Tax Department did not obtain objections to our publication this story.
The ‘extremely low strength’ error provided access to sensitive data
Security researchers Akshay CS and “viral” told TechCrunch that they had discovered the vulnerability when depositing the recent income tax return on the government website.
India residents are required to deposit their annual earnings to calculate the taxes they owe to the Indian government.
The researchers found that when they signed to the gate using their permanent account number (Pan), a formal document issued by the Indian Income Tax Department, they could see the sensitive financial data of anyone else, transferring the PAN for another pan to the network request.
This could be done using the common tools such as Postman or Burp Suite (or using the built -in programmer tools of the web browser) and with the knowledge of someone else’s pan, the researchers told TechCrunch.
The error was exploited by anyone recorded on the tax portal, because the back-end servers of the income department had not properly chosen who was able to access a person’s sensitive data. This category of vulnerability is known as the insecure report of direct object or identifier, a common and simple defect warned by governments is easy to exploit and can lead to large -scale data violations.
“This is an extremely low thing, but the one that has a very serious consequence,” researchers said in TechCrunch.
In addition to the data of individuals, the researchers said that the error also exposed data related to companies that were registered on the electronic deposit gate.
TechCrunch also verified that errors exposed to people who have not yet filed income tax returns this year. We confirmed this by asking a person who had not yet filed his tax returns for his permission to have the researchers to search for their information using the gateway error.
Cert-in recognizes security defect
Security researchers warned the Emergency Computer Preparedness Team or Cert-in, on the safety defect shortly after their discovery, but did not give a timetable for repair.
When it came into contact with TechCrunch on September 30, a Cert-in spokesman said the income tax department was already working to correct vulnerability.
The Indian Finance Ministry did not return TechCrunch’s request for comments. After reaching the income tax department on vulnerability, the Director General of the Systems recognized the receipt of TechCrunch on October 1, but did not comment further.
It remains unclear how long there is vulnerability or if they have access to malicious factors exposed data. Cert-in did not answer these questions when asked by TechCrunch.
The exact number of users affected by exposed data is also unclear. The Portal of the Income Tax Department lists more than 135 million registered users and over 76 million users submitted income tax returns in the financial year 2024-25, per public data Available on the gate itself.
