Security bug in India’s income tax portal exposed taxpayers’ sensitive data

Summary

The Indian government’s tax authority has fixed a security flaw in its income tax filing portal that was exposing sensitive taxpayers’ data, TechCrunch has exclusively learned and confirmed with authorities. The flaw, discovered in September by a pair of security researchers Akshay CS and “Viral,” allowed anyone who was logged into the income tax department’s e-Filing portal to access up-to-date personal and financial data of other people. The exposed data included full names, home addresses and email addresses, dates of birth, phone numbers, and bank account details of people who pay taxes on their income in India. The data also exposed citizens’ Aadhaar number, a unique government-issued identifier used as proof of identity and for accessing government services. TechCrunch verified the data to the best of its ability by granting permission to the researchers to look up this reporter’s records on the portal. The security researchers confirmed to TechCrunch on October 2 that the vulnerability was fixed. Given the risk to the public, TechCrunch withheld publishing this story until the security researchers confirmed that the vulnerability can no longer be exploited. Representatives for the Indian Income Tax Department acknowledged our email requesting comment, but did not answer our questions by press time. The Income Tax Department did not present any objections to our publishing this story. ‘Extremely low hanging’ bug granted access to sensitive data The security researchers Akshay CS and “Viral” told TechCrunch that they discovered the vulnerability while filing their recent income tax return on the government website. Residents of India are required to file their annual earnings to calculate the taxes they owe to the Indian government. The researchers found that when they signed into the portal using their Permanent Account Number (PAN), an official document issued by the Indian income tax department, they could view anyone else’s sensitive financial data by swapp...