A serious cybersecurity flaw was recently found on the Indian government’s Income Tax e-filing portal, putting the personal data of millions of taxpayers at risk.
The website, used by nearly 13.5 crore people to file their returns, had a software bug that temporarily exposed Aadhaar numbers, bank details, mobile numbers, and addresses of users.
How the issue was discovered
Two cybersecurity experts identified the error. They found that after logging in, if a user changed their PAN number, the portal didn’t verify whether the data belonged to that person.
This meant that by entering someone else’s PAN number, a user could access that person’s private details — without needing a password or OTP.
How did this mistake happen?
The issue was caused by a flaw known as an IDOR bug (Insecure Direct Object Reference). This happens when a system fails to confirm which user has permission to view specific data.
In this case, the Income Tax website didn’t ensure that users were only accessing their own information.
As a result, anyone could potentially view someone else’s confidential data with a small technical change.
What steps were taken
As soon as the experts found the issue, they reported it to the government and CERT-In (Indian Computer Emergency Response Team).
Authorities quickly took corrective measures, fixed the bug, and confirmed that the website is now secure.
How serious was the risk?
This flaw could have led to a major cyber threat, as the Income Tax portal holds sensitive data of individuals, companies, and businesses.
If hackers had exploited it, the exposed information could have been used for identity theft, financial fraud, or fake transactions.
