A critical security vulnerability in India's income tax e-filing portal exposed the personal and financial data of over 135 million registered taxpayers to unauthorized users. The flaw, discovered by security researchers in September and now fixed, allowed anyone logged into the system to access others' sensitive information through a simple parameter swap.
India's digital government infrastructure just suffered a major security breach that could have affected every taxpayer in the country. Security researchers Akshay CS and "Viral" discovered a critical vulnerability in the Income Tax Department's e-filing portal that exposed sensitive personal and financial data of over 135 million registered users to anyone with basic technical knowledge.
The flaw was discovered in September when the researchers were simply filing their own tax returns. What they found was an "extremely low hanging" security bug that had catastrophic implications - anyone logged into the portal could access other taxpayers' complete profiles by swapping out identification numbers in the web request.
"This is an extremely low hanging thing, but one that has a very severe consequence," the researchers told TechCrunch, which exclusively verified and reported the breach. The exposed data included full names, home addresses, email addresses, dates of birth, phone numbers, bank account details, and most critically, citizens' Aadhaar numbers - India's unique government identifier used for accessing virtually all government services.
The vulnerability was an insecure direct object reference (IDOR) flaw, one of the most common and preventable security mistakes in web development. The government's backend servers simply weren't checking whether users had permission to access the data they were requesting. Armed with someone's Permanent Account Number (PAN) and basic tools like Postman or browser developer tools, any logged-in user could pull up anyone else's complete tax profile.
TechCrunch verified the severity by having the researchers look up their reporter's own data through the exploit, confirming the vulnerability affected not just current taxpayers but even those who hadn't filed returns yet this year. The bug also exposed corporate data for businesses registered with the portal.
What makes this particularly concerning is the scale. India's tax portal serves over 135 million registered users, with 76 million actively filing returns in the 2024-25 financial year according to official government data. That's roughly equivalent to exposing the tax data of every American adult.
The researchers promptly reported their findings to CERT-In, India's computer emergency readiness team, but weren't given a timeline for the fix. When TechCrunch contacted CERT-In on September 30, officials confirmed the Income Tax Department was already working on a solution. The vulnerability was finally patched on October 2.
This incident highlights the ongoing challenges governments face in securing digital infrastructure that serves hundreds of millions of citizens. India has been rapidly digitizing public services under its "Digital India" initiative, but this breach shows how basic security oversights can have massive implications when government systems operate at such scale.
The Indian Income Tax Department acknowledged TechCrunch's inquiries but didn't provide detailed responses by press time. The Ministry of Finance didn't respond to requests for comment. Critically, it remains unclear how long the vulnerability existed or whether malicious actors exploited it before the researchers discovered it.
This type of IDOR vulnerability is particularly troubling because it's so preventable. Security agencies, including those in the US and Australia, have repeatedly warned about these flaws being easy to exploit and capable of causing large-scale data breaches. The fact that such a basic security check was missing from a system handling the financial data of over 100 million people raises questions about the security practices governing India's digital government initiatives.
For Indian taxpayers, this breach represents a worst-case scenario for privacy. With access to both financial records and Aadhaar numbers, bad actors could potentially access other government services, financial accounts, or commit identity theft. The good news is that the researchers acted responsibly by reporting the flaw rather than exploiting it, and TechCrunch held the story until the fix was confirmed.
This breach serves as a stark reminder that as governments digitize public services at massive scale, basic security fundamentals become even more critical. While India's quick response to patch the vulnerability is encouraging, the incident underscores the need for more robust security testing before deploying systems that handle the personal data of hundreds of millions of citizens. For Indian taxpayers, it's a wake-up call about the digital privacy risks that come with mandatory government services - and the importance of responsible security research in protecting public data.
