Security Bug In India's Income Tax Portal Exposed Taxpayers' Sensitive Data (techcrunch.com)
(Tuesday October 07, 2025 @11:30PM (BeauHD)
from the would-you-look-at-that dept.)
- Reference: 0179698170
- News link: https://it.slashdot.org/story/25/10/07/2136212/security-bug-in-indias-income-tax-portal-exposed-taxpayers-sensitive-data
- Source link: https://techcrunch.com/2025/10/07/security-bug-in-indias-income-tax-portal-exposed-taxpayers-sensitive-data/
A now-fixed security flaw in India's income tax e-filing portal [1]exposed millions of taxpayers' personal and financial data due to a basic IDOR vulnerability that let users view others' records by swapping PAN numbers. "The exposed data included full names, home addresses, email addresses, dates of birth, phone numbers, and bank account details of people who pay taxes on their income in India," reports TechCrunch. "The data also exposed citizens' Aadhaar number, a unique government-issued identifier used as proof of identity and for accessing government services." From the report:
> The researchers found that when they signed into the portal using their Permanent Account Number (PAN), an official document issued by the Indian income tax department, they could view anyone else's sensitive financial data by swapping out their PAN for another PAN in the network request as the web page loads. This could be done using publicly available tools like Postman or Burp Suite (or using the web browser's in-built developer tools) and with knowledge of someone else's PAN, the researchers told TechCrunch.
>
> The bug was exploitable by anyone who was logged-in to the tax portal because the Indian income tax department's back-end servers were not properly checking who was allowed to access a person's sensitive data. This class of vulnerability is known as an insecure direct object reference, or IDOR, a common and simple flaw that governments have warned is easy to exploit and can result in large-scale data breaches.
>
> "This is an extremely low-hanging thing, but one that has a very severe consequence," the researchers told TechCrunch. In addition to the data of individuals, the researchers said that the bug also exposed data associated with companies who were registered with the e-Filing portal. [...] It remains unclear how long the vulnerability has existed or whether any malicious actors have accessed the exposed data.
[1] https://techcrunch.com/2025/10/07/security-bug-in-indias-income-tax-portal-exposed-taxpayers-sensitive-data/
> The researchers found that when they signed into the portal using their Permanent Account Number (PAN), an official document issued by the Indian income tax department, they could view anyone else's sensitive financial data by swapping out their PAN for another PAN in the network request as the web page loads. This could be done using publicly available tools like Postman or Burp Suite (or using the web browser's in-built developer tools) and with knowledge of someone else's PAN, the researchers told TechCrunch.
>
> The bug was exploitable by anyone who was logged-in to the tax portal because the Indian income tax department's back-end servers were not properly checking who was allowed to access a person's sensitive data. This class of vulnerability is known as an insecure direct object reference, or IDOR, a common and simple flaw that governments have warned is easy to exploit and can result in large-scale data breaches.
>
> "This is an extremely low-hanging thing, but one that has a very severe consequence," the researchers told TechCrunch. In addition to the data of individuals, the researchers said that the bug also exposed data associated with companies who were registered with the e-Filing portal. [...] It remains unclear how long the vulnerability has existed or whether any malicious actors have accessed the exposed data.
[1] https://techcrunch.com/2025/10/07/security-bug-in-indias-income-tax-portal-exposed-taxpayers-sensitive-data/
Why am I not surprised? (Score:2)
by shm ( 235766 )
Most contracts go to the usual useless big name companies, who dump their h1b rejects on GOI projects.
Can you even imagine the level of incompetence? Let me help you:
In a high level design document pseudo code had a main() function definition which read 17 arguments from the command line, none of which were optional.
Let that sink in.
I dealt with clowns from all of these companies for 30 years. So while this one factoid is amusing, it is also typical of the talent at these companies.
Re: Why am I not surprised? (Score:2)
by devslash0 ( 4203435 )
You forgot the quotation marks around "talent".
This is BASIC validation shit (Score:4, Informative)
This is the kind of fuck-up you'd expect from a 1st year software engineerign student, not a production-ready government system.
More AI everyone. More low-cost contractors and outsourcing. Go on.