The Income Tax India website has patched a security flaw that could have let anyone with knowledge of the vulnerability hack or deface the website. The flaw in question was detected by security researcher Dhiraj Mishra, who found the website susceptible to a previously disclosed remote code execution vulnerability on Microsoft SharePoint, identified as CVE-2019-0604. According to Mishra, the vulnerability was reported to the Indian Computer Emergency Response Team (CERT-in) on February 12, about a week ago. The issue was acknowledged the next day, and the issue was patched over the following days, without any further intimation of the same.
Remote code execution (RCE) vulnerabilities are comparatively common in the cyber security space, and often allow individuals with malicious intent to hack into a website remotely. This particular vulnerability that affected the Income Tax India website was added to the National Vulnerability Database of the US department of commerce back on March 5, 2019. This means that the issue was made public almost a year ago, which also left the Income Tax India website vulnerable for the same duration of time.
Using this flaw could have let attackers install "web shells", which can remotely tap in to a web server and access the server's file system, among other things. This is particularly critical here since the nature of data on the Income Tax India file servers can be deemed sensitive, as it includes financial details of millions of individuals. However, there have so far been no information on whether this vulnerability was exploited by any attacks, since there have been no such disclosure from the Income Tax department.
News18 has independently verified the communication shared between Mishra and CERT-in, pertaining to the flaw. With the patch for the issue now in place, it now remains to be seen if the issue remained a dormant one until its recent patch issuance, or was the cause of any data theft that may have happened. Mishra has also shared specific technical details on his own blog, which can be accessed here.