India’s Income Tax PortalSecurity Flaw Exposes Sensitive Data
In a concerning development, India’s income tax e-Filing portal recently experienced a security flaw that exposed sensitive taxpayer data. Security researchers Akshay CS and Viral discovered the vulnerability in September, revealing that anyone logged into the portal could access others’ personal and financial information. This data included names, addresses, emails, birth dates, phone numbers, bank account details, and Aadhaar numbers—a critical government-issued ID.
Discovery and Exploitation
The researchers found the flaw while filing their taxes. By using tools like Postman or Burp Suite, they could swap their PAN (Permanent Account Number) with another in the network request, granting access to someone else’s data. This exploit, known as an Insecure Direct Object Reference (IDOR), occurs when systems fail to verify user permissions, allowing unauthorized access.
Impact and Concerns
The vulnerability exposed data of both individuals and companies, with potentially over 135 million users affected. The exact duration of the flaw and whether malicious actors exploited it remain unclear. This oversight highlights the need for robust security measures in government systems handling sensitive data.
Response and Fix
CERT-In, India’s cybersecurity team, was informed, but no timeline for resolution was provided initially. The issue was later fixed, but the lack of communication from the Income Tax Department and Ministry of Finance raised transparency concerns. Ensuring user trust requires clear communication and rigorous security practices.
Conclusion
This incident underscores the importance of prioritizing cybersecurity, especially in critical systems. It serves as a wake-up call for enhanced security measures and transparency. Users are advised to monitor their accounts and protect their personal information diligently.
No Comments