In a crucial cybersecurity intervention, the Government of India has patched a serious vulnerability in the Income Tax e-filing portal, preventing what could have been a large-scale data leak of taxpayers' confidential information.
Critical Vulnerability Found in Tax Portal
Two independent cybersecurity researchers, Akshay C.S. and Viral, discovered the flaw while filing tax returns in September 2025. The flaw was identified as an IDOR (Insecure Direct Object Reference) vulnerability allowing any logged-in user to access sensitive details of another taxpayer simply by altering a network request parameter, such as the PAN number.
The data potentially exposed included:
- Full name and address
- Email ID and phone number
- Date of birth
- Aadhaar number
- Bank account details
- Data of both individuals and registered entities
Given that the portal caters to over 13.5 crore registered users, and more than 7.6 crore taxpayers filed returns in FY 2024-25, the potential magnitude of the breach was enormous.
Researchers Reported Flaw to CERT-In
Upon discovering the vulnerability, the researchers responsibly reported it to the Indian Computer Emergency Response Team (CERT-In), which immediately coordinated with the Income Tax Department to investigate and fix the issue.
CERT-In confirmed that the vulnerability had been mitigated successfully, and follow-up checks by the researchers verified that unauthorized data access was no longer possible. However, the government has not disclosed how long the flaw existed or whether any unauthorized access had occurred before patching.
How the Issue Was Resolved
Sources familiar with the matter said the Income Tax Department's technical team implemented a server-side validation and access control fix to block unintended data exposure. The fix was deployed by early October and verified across the portal's production servers.
This prompt action, experts say, averted a massive data privacy disaster that could have compromised millions of taxpayers' records.
Experts Call for Stronger Security Audits
Cybersecurity professionals have praised the quick response but also called for regular vulnerability assessments of major government platforms. Given the increasing use of digital public infrastructure, experts believe India must adopt a "responsible disclosure policy" to allow ethical hackers to report issues without fear of legal repercussions.
"This case proves that timely reporting and government cooperation can prevent major breaches. Proactive testing and transparent security frameworks should become standard practice," said one senior cybersecurity analyst.
Background
The Income Tax e-filing portal, maintained by the Central Board of Direct Taxes (CBDT) and developed by Infosys, serves as the primary digital interface for taxpayers to file returns, verify income and manage compliance records. Since its launch, the portal has faced occasional technical glitches, but this was one of the most severe security risks identified publicly to date.
CAclubindia
