India’s Income Tax Department has quietly patched a severe security vulnerability in its e-Filing portal, following an alert from cybersecurity researchers Akshay C.S. and “Viral”, who discovered that the system allowed logged-in users to access private information of other taxpayers.
The flaw, known as an Insecure Direct Object Reference (IDOR), is one of the most basic web security oversights yet its impact was potentially massive. By merely swapping out one taxpayer’s Permanent Account Number (PAN) with another in the web request, researchers were able to view detailed personal and financial information belonging to unrelated individuals.
“This is an extremely low-hanging thing, but one that has a very severe consequence,” the researchers told.
The exposed data included full names, home addresses, email IDs, phone numbers, Aadhaar details, and bank account information all accessible with minimal technical skill and readily available tools such as Postman or Burp Suite.
FCRF Launches CCLP Program to Train India’s Next Generation of Cyber Law Practitioners
TechCrunch independently verified the vulnerability by allowing the researchers to look up the publication’s own data within the system, confirming that the flaw could be exploited in real time.
Scope of Exposure: 135 Million Registered Users at Risk
The Income Tax Department’s portal, which manages more than 135 million registered users and handled over 76 million returns in FY 2024–25, serves as the backbone of India’s tax infrastructure. The breach potentially exposed sensitive data of both individual taxpayers and registered companies using the platform.
The issue was particularly concerning because it also allowed access to information belonging to individuals who had not yet filed their income tax returns for the year. According to researchers, the flaw existed within the portal’s backend authorization layer, which failed to verify whether a logged-in user was entitled to view a given data record.
This kind of unchecked access — common in poorly designed APIs — can lead to mass-scale data leaks without the need for hacking or privileged credentials.
While the vulnerability has now been fixed, the timeline of its existence and extent of exploitation remain unclear. Authorities have not disclosed whether any malicious actors accessed taxpayer data before the fix was applied.
CERT-In Steps In; Vulnerability Fixed After Disclosure
After discovering the flaw in September 2025, the researchers promptly reported it to CERT-In, India’s national cybersecurity coordination agency. While CERT-In acknowledged the report and confirmed that the Income Tax Department was working to fix the issue, it did not share a specific resolution timeline.
Following inquiries from TechCrunch on September 30, a CERT-In spokesperson stated that the matter was under remediation. By October 2, the researchers confirmed that the vulnerability had been patched and that unauthorized access was no longer possible.
The Director General of Systems at the Income Tax Department acknowledged receipt of TechCrunch’s query but declined to comment further. The Ministry of Finance also did not issue a statement on the matter, despite the potential impact on millions of citizens.
Experts Call for Stronger Digital Accountability
Cybersecurity experts have termed the flaw a “critical governance failure”, pointing out that such basic lapses in access control are unacceptable in systems handling sensitive personal and financial data.
“IDOR vulnerabilities are among the easiest to detect and prevent. That this existed in a national portal with taxpayer and Aadhaar data indicates a lack of rigorous testing and third-party audits,” said a Delhi-based cybersecurity analyst.
The incident also revives concerns over data privacy and security oversight across India’s digital public infrastructure. Despite the enactment of the Digital Personal Data Protection (DPDP) Act, 2023, implementation and enforcement remain inconsistent across government platforms.
Privacy advocates argue that recurring lapses from Aadhaar leaks to state-run portal breaches highlight the urgent need for mandatory vulnerability disclosure programs and independent security audits for all public-facing digital systems.
