Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Government of India.. Show all posts
protecting sensitive data
Banking Data Critical security flaw Cyber Security Data Exposure Government of India. Income Tax Department Information Security protecting sensitive data

Indian Tax Department Fixes Major Security Flaw That Exposed Sensitive Taxpayer Data

 

The Indian government has patched a critical vulnerability in its income tax e-filing portal that had been exposing sensitive taxpayer data to unauthorized users. The flaw, discovered by security researchers Akshay CS and “Viral” in September, allowed logged-in users to access personal and financial details of other taxpayers simply by manipulating network requests. The issue has since been resolved, the researchers confirmed to TechCrunch, which first reported the incident. 

According to the report, the vulnerability exposed a wide range of sensitive data, including taxpayers’ full names, home addresses, email IDs, dates of birth, phone numbers, and even bank account details. It also revealed Aadhaar numbers, a unique government-issued identifier used for identity verification and accessing public services. TechCrunch verified the issue by granting permission for the researchers to look up a test account before confirming the flaw’s resolution on October 2. 

The vulnerability stemmed from an insecure direct object reference (IDOR) — a common but serious web flaw where back-end systems fail to verify user permissions before granting data access. In this case, users could retrieve another taxpayer’s data by simply replacing their Permanent Account Number (PAN) with another PAN in the network request. This could be executed using simple, publicly available tools such as Postman or a browser’s developer console. 

“This is an extremely low-hanging thing, but one that has a very severe consequence,” the researchers told TechCrunch. They further noted that the flaw was not limited to individual taxpayers but also exposed financial data belonging to registered companies. Even those who had not yet filed their returns this year were vulnerable, as their information could still be accessed through the same exploit. 

Following the discovery, the researchers immediately alerted India’s Computer Emergency Response Team (CERT-In), which acknowledged the issue and confirmed that the Income Tax Department was working to fix it. The flaw was officially patched in early October. However, officials have not disclosed how long the vulnerability had existed or whether it had been exploited by malicious actors before discovery. 

The Ministry of Finance and the Income Tax Department did not respond to multiple requests for comment on the breach’s potential scope. According to public data available on the tax portal, over 135 million users are registered, with more than 76 million having filed returns in the financial year 2024–25. While the fix has been implemented, the incident highlights the critical importance of secure coding practices and stronger access validation mechanisms in government-run digital platforms, where the sensitivity of stored data demands the highest level of protection.
Read more »
WhatsApp
Data Protection Bill Facebook Google Government of India. Privacy WhatsApp

Data Privacy on Alert; Facebook, Whatsapp and Others Fear The Personal Data Protection Bill?


The latest amendments in the “personal data protection bill” of India could make Facebook and other data consuming platforms lose sleep over enhanced government powers.

On Tuesday, the Personal Data Protection Bill was passed around in the parliament which could have strong consequences on the way the organizations store, process and use public data.

The newest addition to the bill is the stipulation that endows the Indian government to demand from a company the “anonymized” personal and non-personal data for better government services.

Per the bill, any information that could aid in identifying a person and possesses characteristics, traits or any attributes of a person’s identity could be defined as “personal data” and the rest as non-personal.

For the leading tech-organizations, personal or non-personal, the data is valuable. And these new provisions brought out by the bill are issues of major concern.

Reportedly, an official strongly taking the government’s stand mentioned that the “personal data” is as valuable to the society as it is to the tech-companies.

They also mentioned something along the lines of making use of data from cab organizations like “Uber” to comprehend the limitations of Indian public transport and what could be done for its betterment.


There is no specific mention as to what the data shall come in exchange for or any other ensuing rules as to the processes regarding it.

Per the bill, personal data such as biometric details and financial data could be transferred beyond the boundaries of India for processing purposes but must be stored locally.

Allegedly, the media platforms in question could also need to provide a structured procedure for users to “prove their identities” and “display a verification sign publicly”. This could cause major companies to face major technical issues.

Dreading the possibility of furthered compliance costs, the countries across the globe have been pushing their agencies to go against such rules.

Per reports, these fresh exceptions that the bill makes available for the government could be alarming for India’s privacy situation which isn’t as strong as all that.

The bill that shall soon be presented in the parliament will definitely not be passed in this session and only after further voting and discussion should any results be declared.

Read more »
Subscribe to: Comments (Atom)