Earlier this month, a significant security vulnerability was discovered in India’s Income Tax e-filing portal, which serves over 135 million users. While the government has addressed this issue, concerns remain that sensitive personal data of millions, including corporations filing tax returns, may have been compromised.
Security researchers Akshay CS and Viral detected the flaw while filing their taxes. They noticed that by simply altering their PAN details upon logging in, they were able to access the financial information of other users. The portal, which requests PAN details to load a user’s personal profile, was mishandling this data due to a lack of sufficient verification by the backend server.
The specific vulnerability identified is known as insecure direct object reference (IDOR). This severe access control flaw allows unauthorized users to access and potentially exfiltrate another user’s data with relative ease. The Indian Computer Emergency Response Team (CERT-In) has classified this weakness as a high-severity risk, emphasizing the challenge in detecting such vulnerabilities, even though exploiting them is straightforward. At the time of this report, CERT-In had not responded to inquiries for additional comments.
This incident is emblematic of a broader security landscape in India, where organizations reportedly face more than 3,200 cyberattacks weekly. Sectors like education, government, and consumer goods are among the most frequently targeted. In a related development, several coordinated cyberattacks occurred in August, reportedly involving threat actors linked to countries like China and Pakistan, especially following India’s military response to a terrorist incident.
Previous security breaches in India have led to extensive personal data leaks, with instances including defense personnel information being sold online and sensitive health records compromised in earlier cyber incidents.
Experts like Rajesh Pant, Chairman of the Cybersecurity Association of India, warn that cybercriminals are increasingly utilizing artificial intelligence to enhance their attacks, complicating defensive measures. While corporations can deploy AI to bolster their security, human error remains a significant vulnerability.
To mitigate risk, Vinayak Godse, CEO of the Data Security Council of India, suggests that organizations need to proactively assess and manage their interactions with third-party services that may expose them to security risks. This can involve monitoring third-party components, conducting threat hunting exercises, and continuously evaluating potential compromises.
Despite increased governmental spending on cybersecurity, experts identify persistent gaps in security frameworks. The recent budget allocation of ₹1,900 crore for cybersecurity aims to improve infrastructure, but the overall effectiveness of such efforts is still questioned. Emphasizing enhanced collaboration across various governmental departments is suggested as a way to strengthen the nation’s cybersecurity posture.
Moreover, initiatives like the Guidelines for Indian Government Websites (GIGW) outline essential security protocols, including encryption and multi-factor authentication. However, CERT-In lacks public bug bounty programs similar to those in the private sector and international counterparts, which could incentivize the discovery of vulnerabilities.
Lastly, while modernization efforts are underway—like the Railway Ministry’s overhaul of its passenger reservation system to incorporate Aadhaar-based authentication—legacy systems and a lack of cyber awareness among government employees still pose significant challenges. Continuous monitoring and enhanced collaboration are seen as crucial steps in securing India’s digital landscape moving forward.
