Manipulating India’s Stock Market: The GST Portal Data Leak

Imagine if you could peek into the books of India’s biggest companies — before quarterly earnings were announced. By simply looking at their GST challan receipts, you’d know how much tax they paid, which bank they used, and how frequently they filed. That’s not just boring compliance data. It’s a real-time financial signal — a proxy for revenue, performance, and market health. In the wrong hands, this becomes insider information worth billions.

This isn’t hypothetical. While filing GST for my company, I stumbled upon a vulnerability in the official GST Portal that could have exposed 11.8 million records. Anyone with basic technical skills could have automated the process, scraped challan details at scale, and built a live “insider trading dashboard” of India Inc. The potential for market manipulation, front-running, or short-selling was massive.

To put it in perspective: this would be like getting access to company GST payments before the quarterly results hit the stock exchange. Imagine being able to see exactly how much tax Reliance, Infosys, or HDFC paid last month — well before analysts and investors could. Traders could front-run earnings announcements, competitors could map business growth, and entire indices like the NIFTY50 or Sensex could be manipulated based on insider-level visibility.

And all of this wasn’t locked away in some classified dataset — it was sitting behind a public government portal with weak access control.

What follows is the story of how I found the bug, what data was exposed, how I reported it, and how it was fixed.

GST Portal

The GST (Goods and Services Tax) portal is the backbone of India’s indirect tax system. Every business that sells goods or services in India uses it to file returns, pay taxes, and generate challans. Depending on the type of goods or services, tax rates range from 0% to 28% [1].

As of September 2024, government data shows 14.8 million registered taxpayers, of which 11.8 million filed returns that month alone.[2] For sole proprietors and small businesses, the GSTIN (GST Identification Number) even embeds their PAN (Permanent Account Number) — making the portal a treasure trove of both personal and financial identifiers.

But more importantly, GST filings aren’t just a compliance ritual. They’re a real-time reflection of business performance:

• A rising challan amount indicates higher sales/revenue.
• Filing frequency shows business activity patterns.
• Sectoral filings collectively mirror the health of entire industries.

The Hack

The filing process involves the following steps :

1. Login to the GST portal
2. Go to Services > Payments > Challan History
3. Create a challan for the amount of GST you’ve to pay on the GST portal.
4. Pay the challan on the portal.
5. You get the acknowledgement receipt on the webpage.

I had a web proxy running to capture all the HTTPS traffic. Every challan has a receipt id, termed as CPIN (Challan PIN). The website fetches the details of each challan through the API endpoint —

GET https://payment.gst.gov.in/payment/auth/challan/getReceipt?cpin=<cpin_here>

You can see the details from the GST portal API endpoint -

At this point, I wondered: what happens if I just change the CPIN?

Well, well. I am able to access another user’s data from the GST portal. Thus confirming, the access control issue on the receipt portal. I quickly automated it in my web proxy to see if we could access sensitive data of multiple users, and found that it was possible.

Here’s the proof-of-concept automation I built (with some fun graphics :) ):

Impact

This vulnerability went far beyond exposing challan receipts. In India, GST filings are a direct proxy for revenue and business health. Every filing carries the GSTIN, challan amount, and bank used — essentially a live financial signal of how much a company is selling and how fast it’s growing.

To validate this, I spoke with a chartered accountant, who confirmed that GST filings are indeed treated as a direct proxy for turnover. In her words:

“If someone had access to this data, they could use it to anticipate quarterly performance and even manipulate the stock market.”
- CA Bidisha Sarkar

• For listed companies this means anyone could have predicted quarterly performance before results were announced on the exchanges. Traders could have front-run earnings calls, shorted underperforming firms, or pumped stocks that showed rising GST payments. The potential for manipulation across NIFTY50 and Sensex stocks was enormous.
• For startups and SMEs, the risks were just as severe. Competitors could quietly track turnover growth, investors could cherry-pick high-performing companies before valuations caught up, and entire sectors could be profiled by their monthly GST contributions.
• And at a macro level, an attacker could have built an “alternative RBI dashboard” — real-time GST collections by industry, by region, by company size — insights normally guarded and released only in aggregate by the government. In the wrong hands, this was a blueprint to move not just individual stocks, but entire markets.

In short: this wasn’t just a data privacy issue. It was a financial stability issue, with implications for India’s economy, stock markets, and trust in digital governance.

Reporting & Handling

As soon as I confirmed the issue, I knew the scale of exposure was too large to sit on. This wasn’t just a bug in a small portal — it was the financial pulse of 11.8 million Indian taxpayers at risk.

I reported the vulnerability directly to CERT-IN (Computer Emergency Response Team, India) at their official contact (info@cert-in.org.in). To their credit, I received an acknowledgement the very next day. The team was quick to validate the report and began remediation.

Within a month, the vulnerable endpoint had been patched and proper access controls were in place. The portal no longer exposed taxpayer data through CPIN manipulation.

For me, this was a reminder of two important things:

• Responsible disclosure works in India.
  Even at the scale of national portals, the system can respond quickly when approached the right way.
• Timely reporting matters.
  Had this issue been abused in the wild, the damage to market trust and digital governance could have been immeasurable.

No personal data was stored, shared, or misused during this research. The goal was always to highlight the risk, not exploit it.

Lessons for Developers:

This bug wasn’t complex. It wasn’t SQL injection, ransomware, or some zero-day. It was a basic access control failure, an IDOR (Insecure Direct Object Reference). Yet its consequences could have been devastating for India’s markets and economy.

Here are some takeaways for developers, especially those building sensitive applications such as government portals, fintech apps, and high-scale SaaS products in India:

• Never trust the frontend
  Client-side checks are not security. Always enforce authentication and authorization server-side, especially for sensitive APIs.
• Don’t use sequential IDs for sensitive objects
  CPINs were easy to iterate. Use UUIDs or sufficiently random identifiers to prevent brute-forcing.
• Think about business impact, not just data exposure
  A challan amount might not look like PII, but in India it’s a direct proxy for company revenue. Always consider how leaked fields could be misused in the local context.
• Test like an attacker
  If you’re building for millions of users, assume someone will fuzz your APIs. Pen-test endpoints with tools that change IDs, replay tokens, and simulate automation.
• Adopt RBAC and least privilege
  Make sure every API request enforces “is this the right user, with the right role, accessing the right data?”

Security in India is not just about protecting passwords and emails. In a digital economy where GST, Aadhaar, UPI, and DigiLocker power everyday life, API leaks can ripple into stock markets, valuations, and national trust.

P.S.

If you like reading these write-ups, follow me on X/Twitter or subscribe to my blog for more.

Twitter/x :

We are building the next autonomous pentesting agent at ShipSec.AI .
To get early access please add your email here — https://shipsec.ai

References

1. GST Website — 30 Dec 2024
2. GST Portal Statistics

Disclaimer:
This write-up is for educational purposes. No data was misused or stored and no stock was manipulated. The main aim of this article was to show the impact this security issue could have caused.