'Glaring hole' in India's tax e-filing portal allowed some users to access other taxpayers' details. Here is how to stay safe

India's tax e-filing portal was reportedly exposed to a serious security gap for a brief period that allowed logged-in users to view the private data of others. What was described by TechCrunch as a "glaring hole" was discovered by independent security researchers when they were trying to file their own tax returns on the Income Tax Department’s e-filing portal. The security lapse allowed them, while logged in, to view the private data of other taxpayers, including Aadhaar numbers and financial details.

Tax e-filing portal security vulnerability : What happened?

Independent security researchers discovered that the flaw in the portal’s web code permitted the manipulation of a request parameter, such as switching one PAN number for another, to retrieve personal and financial records without any authorisation check. The flaw, technically known as an Insecure Direct Object Reference (IDOR), is a well-known but sometimes overlooked vulnerability, TechCrunch reported.

IDOR occurs when an application exposes internal object identifiers (such as database IDs or PANs) without proper access controls, allowing attackers or users to access data simply by modifying inputs in the request URL. This flaw did not require advanced technical skills and could be exploited using basic browser developer tools or software.

What information was accessible?

The information that could be accessed included full names, home addresses, email addresses, phone numbers, dates of birth, bank account details, Aadhaar numbers, and tax-related data of individuals, even if they had not yet filed their returns. The researchers also found that corporate taxpayer data was vulnerable, including registered business profiles and financial summaries.

What was done to resolve the issue?

The vulnerability was reported to CERT-In, India’s Computer Emergency Response Team under the Ministry of Electronics and Information Technology. CERT-In coordinated with the Income Tax Department and a patch to fix the vulnerability was reportedly implemented by October 2, before the issue was publicly disclosed in the media.

TechCrunch and other outlets delayed publishing the vulnerability until the issue was resolved. The public response from the government has been minimal so far. The Income Tax Department acknowledged media queries but has not issued an official statement or user notification about the incident at the time of writing this. Experts have recommended a comprehensive audit to determine whether any taxpayer data was accessed or exfiltrated during the window of exposure.

The tax department’s standard digital safeguards include two-factor authentication via One Time Password (OTP) sent to registered mobile numbers or email addresses, secure login messages, and optional multi-factor authentication through the “e-Filing Vault” feature. However, these front-end protections do not defend against vulnerabilities like IDOR that occur due to poor access control in backend systems.

Taxpayers, do not assume safety: Here is how to protect yourself

If you are an Indian taxpayer, do not assume security purely on the basis of the e-filing portal’s assurances. You can take the following steps to reduce your risk of fraud or identity theft.

1. Always use strong and unique passwords for your tax portal account. Change your password regularly and avoid reusing it across other services.

2. Never share your login credentials, OTPs, or security questions with anyone, including self-proclaimed government officials.

3. If not already done, enable two-factor authentication for both login and password reset processes via the “e-Filing Vault” section of your account profile.

4. Monitor your e-filing portal account regularly for any unauthorised changes, especially to your email address, mobile number, or linked bank account.

5. Be alert to phishing emails or SMS messages that claim to be from the tax department. Always verify the email domain and website address before clicking on any links or entering login details. The official site is https://www.incometax.gov.in.

6. Use secure devices and trusted networks when accessing the e-filing portal. Avoid filing your taxes on public Wi-Fi networks and ensure your browser and antivirus software are up to date.

7. If you notice any unusual activity on your profile or suspect your data may have been leaked, report it immediately. You can contact cybercrime authorities via https://www.cybercrime.gov.in or call the income tax helpline at 1800-103-4215. You may also file a grievance directly through the e-filing portal.