A critical security vulnerability in India's income tax e-filing portal exposed the personal and financial data of over 135 million registered taxpayers to unauthorized users. The flaw, discovered by security researchers in September and now fixed, allowed anyone logged into the system to access others' sensitive information through a simple parameter swap.
India's digital government infrastructure just suffered a major security breach that could have affected every taxpayer in the country. Security researchers Akshay CS and "Viral" discovered a critical vulnerability in the Income Tax Department's e-filing portal that exposed sensitive personal and financial data of over 135 million registered users to anyone with basic technical knowledge.
The flaw was discovered in September when the researchers were simply filing their own tax returns. What they found was an "extremely low hanging" security bug that had catastrophic implications - anyone logged into the portal could access other taxpayers' complete profiles by swapping out identification numbers in the web request.
"This is an extremely low hanging thing, but one that has a very severe consequence," the researchers told TechCrunch, which exclusively verified and reported the breach. The exposed data included full names, home addresses, email addresses, dates of birth, phone numbers, bank account details, and most critically, citizens' Aadhaar numbers - India's unique government identifier used for accessing virtually all government services.
The vulnerability was an insecure direct object reference (IDOR) flaw, one of the most common and preventable security mistakes in web development. The government's backend servers simply weren't checking whether users had permission to access the data they were requesting. Armed with someone's Permanent Account Number (PAN) and basic tools like Postman or browser developer tools, any logged-in user could pull up anyone else's complete tax profile.
TechCrunch verified the severity by having the researchers look up their reporter's own data through the exploit, confirming the vulnerability affected not just current taxpayers but even those who hadn't filed returns yet this year. The bug also exposed corporate data for businesses registered with the portal.
What makes this particularly concerning is the scale. India's tax portal serves over 135 million registered users, with 76 million actively filing returns in the 2024-25 financial year according to official government data. That's roughly equivalent to exposing the tax data of every American adult.
