The income tax portal in India displays sensitive data for taxpayers

The Indian Government Tax Authority has fixed a security defect at the income tax deposit portal that displays sensitive taxpayers data. Techcrunch has learned exclusively and confirming it with the authorities.

The defect, which was discovered in September by a pair of security researchers, Akshay CS and “Viral”, allowed anyone to log in to Electronic Deposit Portal of Income Tax To access personal and financial data from other people.

The open data included full names, home addresses, email addresses, birth dates, phone numbers and bank account details for people who pay taxes on their income in India. The data also revealed the number of Aadhaar for citizens, which is a unique identifier from the government used as a guide to identity and access to government services.

TECHRUNCH checks the data to its best by granting permission to researchers to search for the records of this correspondent on the portal.

Security researchers confirmed to Techcrunch on October 2 that weakness was repaired. Looking at the risks to the audience, Techcrunch blocked this story until the security researchers confirmed that it is no longer possible to use weakness.

Representatives of the Indian Ministry of Income Tax acknowledged our e -mail, which is asking to comment, but they did not answer our questions by the time of the press. The Ministry of Income Tax did not make any objections to publishing this story.

A “very low” bug gives access to sensitive data

Akshay CS and “VIRAL” Techcrunch have discovered weakness while providing the recent income tax on the government’s website.

Indian residents must offer their annual profits to calculate the taxes they owe to the Indian government.

The researchers found that when they signed the portal using their permanent account number (PAN), an official document issued by the Indian Ministry of Income Tax, they can display sensitive financial statements to any other person by switching another frying pan in the network request with the download of the web page.

This can be done using the tools available to the audience like postman or Suite (Or using the tools of the developers integrated into the web browser) With the knowledge of the general person, the researchers told Techcrunch.

This error was exploited by any person who was logged into the tax portal because the rear servers of the Indian Ministry of Income Tax were not correctly verified from allowing the data of someone sensitive to the person. This category of weakness is known as the indirectly safe object reference, or Idor, a common and simple defect Governments warned that it is easy to use It can lead to extensive data violations.

“This is a very low thing, but it has a very severe result,” researchers told Techcrunch.

In addition to individual data, the researchers said that errors also revealed the data related to companies recorded in the electronic deposit portal.

Techcrunch also verifies that exposed errors on individuals who have not yet raised income tax declarations this year. We confirmed this by asking the person who has not yet submitted his tax declarations with his permission to conduct researchers to search for their information using the gate insect.

Cert-in admits the defect of the security

Security researchers alerted an emergency preparation team in India, or a security certificate, to the security defect shortly after their discovery, but they were not provided with a timetable for reform.

When contacting him by Techcrunch on September 30, an income certificate representative said the Ministry of Income Tax was already working to repair weakness.

The Indian Ministry of Finance did not want to request Techcrunch to comment. After reaching the income tax department with regard to weakness, the Director General of Systems acknowledged the receipt of a Techcrunch email on October 1, but he did not comment more.

It remains unclear for the time when the weakness existed or whether any harmful actresses have reached the open data. You did not answer these questions when asked by Techcrunch.

The exact number of users affected by exposed data is also unclear. The Ministry of Income Tax portal lists more than 135 million registered users, and more than 76 million users submitted income tax declarations in the fiscal year 2024-25, each for each. General data Available on the same portal.