Security bug in India's income tax portal exposes taxpayer data
What's the story
A major security vulnerability in India's income tax filing portal has been fixed, TechCrunch reported. The flaw, discovered by security researchers Akshay CS and "Viral" in September, allowed logged-in users to access real-time personal and financial information of other taxpayers. This included sensitive details such as full names, home addresses, email addresses, dates of birth, phone numbers and bank account information.
Data exposure
Exposed Aadhaar numbers of individuals
The security flaw in the income tax filing portal also exposed Aadhaar numbers, a unique government-issued identification number used for identity verification and accessing government services. TechCrunch verified the data by allowing researchers to search its records on the portal. The researchers confirmed on October 2 that the vulnerability had been patched.
Discovery process
Researchers found bug while filing tax returns
The researchers found the security flaw while filing their recent income tax return on the government website. They discovered that by logging into the portal with their Permanent Account Number (PAN), they could view anyone else's sensitive financial data by replacing their PAN with another in a network request as the page loads. This could be done using publicly available tools like Postman or Burp Suite and knowledge of someone else's PAN.
Exploitation details
Vulnerability was easily exploitable by anyone logged into tax portal
The vulnerability was exploitable by anyone logged into the tax portal because the Income Tax Department's back-end servers were not properly checking who could access a person's sensitive data. This type of vulnerability is known as an insecure direct object reference (IDOR), a common flaw that governments have warned can be easily exploited and lead to large-scale data breaches.
Company data breach
Bug also exposed data of individuals who didn't file taxes
Along with individual data, the bug also exposed information related to companies registered with the e-Filing portal. TechCrunch verified that the bug even exposed data of individuals who had not filed their income tax returns for the current year. This was confirmed by asking an individual yet to file their tax returns for permission to let researchers look up their information using this portal bug.