India’s official income tax e-filing portal briefly suffered a major security flaw that reportedly allowed logged-in users to see the private details of other taxpayers.
Independent security researchers discovered the issue while filing their own returns. According to TechCrunch, the glitch was a “glaring hole” in the portal’s system that exposed sensitive data such as Aadhaar numbers and financial details.
The researchers found that a weakness in the website’s code allowed them to change certain request details, like swapping one PAN number for another, and instantly access someone else’s records without any permission checks.
This type of bug is known as an Insecure Direct Object Reference (IDOR), a common web security issue that appears when an app exposes internal identifiers like database IDs or PANs without proper access control. In simple terms, anyone could alter the link or number in the address bar and view private information, even without special hacking tools.
The exposed data included full names, addresses, phone numbers, email IDs, dates of birth, bank account details, Aadhaar numbers, and tax information. Even people who hadn’t filed their returns yet were vulnerable.
Corporate taxpayers were also at risk, as their registered business details and financial summaries could be accessed the same way.
After discovering the issue, the researchers reported it to CERT-In, the government’s cybersecurity agency under the IT Ministry. CERT-In then coordinated with the Income Tax Department to fix the flaw.
A patch was reportedly applied by October 2, before the matter became public. TechCrunch and other media outlets delayed reporting the story until the issue was confirmed resolved.
So far, the government has not released an official statement or notified users about the incident. Experts, however, have advised that a full audit be carried out to check whether any taxpayer data was actually viewed or copied during the exposure window.
The tax department’s e-filing portal already uses several safety measures, including one-time passwords (OTP) for logins, secure login messages, and optional multi-factor authentication via the “e-Filing Vault.”
But experts warn that these front-end features don’t prevent IDOR-type flaws, which occur deep in the backend systems due to weak access controls.
What taxpayers should do now
Even though the bug has been fixed, users are urged not to assume their data is completely safe. Here’s how you can protect yourself:
Use strong and unique passwords for your tax account and change them regularly.
Never share login details, OTPs, or security answers with anyone.
Enable two-factor authentication for both login and password reset in the “e-Filing Vault” section.
Check your profile often for any unknown changes to your mobile number, email, or bank account.
Watch out for fake emails or texts pretending to be from the tax department. The official website ishttps://www.incometax.gov.in.
Avoid public Wi-Fi and use secure devices when filing taxes.
If you see anything suspicious, report it immediately via https://www.cybercrime.gov.in or call the tax helpline at 1800-103-4215.