Security bug in India’s income tax portal exposed taxpayers’ sensitive data – by swapping credential numbers :(

The Indian government’s tax authority has fixed a security flaw in its income tax filing portal that was exposing sensitive taxpayers’ data, TechCrunch has exclusively learned and confirmed with authorities.

The flaw, discovered in September by a pair of security researchers Akshay CS and “Viral,” allowed anyone who was logged into the income tax department’s e-Filing portal to access up-to-date personal and financial data of other people.

The exposed data included full names, home addresses, email addresses, dates of birth, phone numbers, and bank account details of people who pay taxes on their income in India. The data also exposed citizens’ Aadhaar number, a unique government-issued identifier used as proof of identity and for accessing government services.

[…]

The researchers found that when they signed into the portal using their Permanent Account Number (PAN), an official document issued by the Indian income tax department, they could view anyone else’s sensitive financial data by swapping out their PAN for another PAN in the network request as the web page loads.

This could be done using publicly available tools like Postman or Burp Suite (or using the web browser’s in-built developer tools) and with knowledge of someone else’s PAN, the researchers told TechCrunch.

The bug was exploitable by anyone who was logged-in to the tax portal because the Indian income tax department’s back-end servers were not properly checking who was allowed to access a person’s sensitive data. This class of vulnerability is known as an insecure direct object reference, or IDOR, a common and simple flaw that governments have warned is easy to exploit and can result in large-scale data breaches.

“This is an extremely low-hanging thing, but one that has a very severe consequence,” the researchers told TechCrunch.

[…]