Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
The Indian Government’s tax authorities have solved a security error in its income tax filing portal that was releasing sensitive taxpayers, learned exclusively with the TechCrunch authorities and confirmed.
This error discovered by Akshay CS and “Viral” in September has allowed anyone who has been logged in by “viral” E-Failing Portal of Income Tax Department To access the other person’s up-to-date personal and financial data.
The open data included the full name, home address and email address, date of birth, phone number and their income on their income in India. The identity of the information was also opened as proof of the identity of the information and the Aadhaar number of a unique government-jerky identifier used for access to government services.
The TechCrunch has best verified its skills with the permission of researchers to look for this reporter’s records in the portal.
Security researchers confirmed to TechCrunch on October 2 that weakness was fixed. Risk to the public, TechCrunch prevents the release of this story until security researchers are convinced that weaknesses can no longer be exploited.
Representatives of the Indian Income Tax Department have acknowledged the request of our email, but did not answer our questions during the press time. The Income Tax Department has not presented any objection to our story.
‘Extremely low hanging’ bugs gave access to sensitive data
Security researchers told Akshay CS and “Viral” TechCrunch that they discovered weaknesses while filing their recent income tax return on the official website.
The residents of India will have to file their annual income to calculate the taxes that the Indian government.
Researchers have discovered that when they signed in an official document issued by the Indian Income Tax Department, they have signed in to the portal using their permanent account number (PAN), they can view the sensitive financial information of someone else for the network request as a web page load as a web page load.
It can be done using the postman or the universally available tools like that Barp suit (Using the built -in developering tools in the web browser) and with the knowledge of someone else’s pan, researchers told Techcunch.
Anyone who logged in to the tax portal is usable because the back-end servers of the Indian Income Tax Department were not verified correctly that a person was allowed to access sensitive data. This class of weakness is known as an unsafe direct object reference, or edoor, a general and general error which Governments have warned that exploitation is easy to exploit And may violate large -scale data.
“This is a very low hanging thing, but there is a very serious consequence,” researchers told TechCrunch.
In addition to individual data, researchers said that the bug also opened the data related to registered companies in the e-filing portal.
TechCrunch further verified that the bug had exposed data on people who could file their income tax return this year. We have confirmed by asking a person who has not yet filed their tax return to allow researchers to look for their information using their portal bug.
Certi-in acknowledges the protection error
Researchers have warned of India’s computer emergency preparation team or Sarti-in Protection error immediately after their invention, but a timeline was not provided to fix them.
When contacted by TechCrunch on September 7, a certified-in representative said that the Income Tax Department is already working to solve weakness.
The Indian Finance Ministry did not return the TechCrunch request for comments. After reaching the Income Tax Department about the weakness, the director of the system acknowledged the receipt of TechCrunch email on October 1, but did not comment.
It is not yet clear how many days the weakness exists or whether a contaminated actor has accessed open data. Cert-in did not respond to these questions when asked by TechCrunch.
The exact number of users affected by open data is also unclear. In the Portal of the Income Tax Department, more than 5 million registered users are listed and more than 76 Million users have filed income tax returns in 2021-27 per financial year. Public data Available to the portal itself.
