The Fiscal Authority of the Indian Government has set a security defect in its income submission portal that was exposing the data of the confidential taxpayers, Techcrunch has learned and confirmed exclusive to the authorities.
The defect, discovered in September by a couple of security researchers Akshay CS and “viral”, allowed anyone who has logged in to the Electronic Presentation Income Tax Departments to access updated personal and financial data or other people.
The exposed data included full names, housing addresses and email addresses, birth dates, telephone numbers and bank account details of people who pay taxes on their income in India. The data also presented the AADHAAR number of citizens, a unique government articulation identifier used as an identity proof and to access government services.
Techcrunch verified the data the best thing that you can grant permission to researchers to find the records of this reporter on the portal.
Security researchers confirmed Techcrunch on October 2 that vulnerability was solved. Given the risk to the public, Tech Crunch with Hero publishing this story until security researchers confirmed that vulnerability can no longer be exploited.
The representatives of the Income Tax Department of India recognized our email requesting comments, but did not answer our questions at the time of publication. The Income Tax Department did not present any objection to our publication of this story.
Erroring Extremely Low Error ‘granted access to confidential data
Security researchers Akshay CS and “viral” told TechCrunch that they discovered vulnerability by presenting their recent income tax declaration on the government website.
India residents must submit their annual profits to calculate the taxes that are to the Indian government.
The researchers discovered that when they signed on the portal using their permanent account number (PAN), an official document issued by the Indian Income Tax Department could see the confidential data of any other person exchanging their bread for another bread for another bread for another bread for another bread.
This could be done using tools publicly available as postman or Erucco ship (or using developer tools in the construction of the web browser) and with the knowledge of another person’s bread, researchers told TechCrunch.
The error was exploitable by anyone who has logged in to the tax portal because the back-end servers of the Indian Income Tax Department were not verifying with those who were allowed to access the confidential data of a person. This kind of vulnerability is known as an insecure direct object reference, or idor, a common and simple fault that Governments have warned that it is easy to exploit and can cause large -scale data violations.
“This is an extremely low pendant thing, but has a very severe consequence,” the researchers told TechCrunch.
In addition to the data of the people, the researchers said that the error also presented data associated with companies that were registered in the electronic presentation portal.
Techcrunch also verified that the error exposed the data on the people who have not yet submitted their income tax statements this year. We confirm this by asking a person who had not yet submitted their tax statements so that investigators seek their information, use the portal error.
Cert-in recognizes security failure
Security researchers alerted the computer emergency preparation team of India, or Cert-In, to the security failure shortly after their discovery, but were not provided with a timeline for the solution.
When TechCrunch contacted on September 30, a certified representative said that the Income Tax Department was already working to fix vulnerability.
The Indian Ministry of Finance did not return the request for comments from TechCrunch. After communicating with the Income Tax Department regarding vulnerability, the Director General of Systems recognized the receipt or email of TechCrunch on October 1, but no longer was commented.
It is not clear how long the vulnerability has existed or if the malicious actors have accessed the exposed data. Cert-in did not answer these questions when Techcrunch asked him.
The exact number of users affected by the exposed data is also ungrane. The portal of the Income Tax Department lists more than 135 million registered users, and more than 76 million users presented income tax statements in the 2024-25 financial year, by public data Available in the portal itself.
