New Delhi: Even as the Central Board of Secondary Education (CBSE) continues to face criticism over mix-ups of answer sheets, portal crashes and payment glitches in the post-process of Class 12 results, a new controversy has emerged around the security of its newly introduced On-Screen Marking (OSM) system.Nisarga Adhikari, a 19-year-old cyber security researcher, has alleged that he has discovered several critical vulnerabilities in CBSE’s OSM portal that could potentially allow unauthorized access to examiner accounts, password resets and even modification of students’ marks. The claims, published in a detailed technical blog post and widely circulated on X, have raised fresh concerns over the board’s digital preparedness after weeks of student complaints over mismatched answer sheets, blurry scans and assessment discrepancies.The teenage researcher has detailed the alleged loopholes in the CBSE evaluation portal.In his blog titledExposing critical vulnerabilities in CBSE’s on-screen marking portalβ, Adhikari claimed that he discovered the issues on February 25 and reported them to CERT-In before making them public.“I was able to log in as an examiner and access the evaluation dashboard, where I could view and edit marks,” he wrote.According to the blog, the alleged vulnerabilities include a “hardcoded master password” found within the portal’s JavaScript bundle, client-side OTP authentication, missing root protection, password reset flaws and what it described as a “systemic IDOR vulnerability.”
“One of the hardest things wasn’t the exploit,” he wrote, “the hardest part was reading the JavaScript file and editing some values ββin DevTools.”Adhikari also alleged that OTP authentication was effectively meaningless because “the browser grades its own test”.“A security control running on an attacker’s machine is no control at all,” he wrote.At the assertion level amid increased scrutiny of the OSM rolloutThe controversy comes days after the CBSE admitted that a Delhi student, Vedanta Shrivastava, had received another student’s physics answer sheet under his roll number due to a technical glitch in the scanning process linked to OSM.Later, the board admitted the mistake and sent the correct answer sheet to the student.The OSM system was introduced this year for Class 12 assessment with CBSE’s push towards digital assessment and faster post-result processing.Software engineer Diddy Das, reacting to Adhikari’s findings on X, wrote: “A 19-year-old cracked the exam system of 2M+ students in one year in India’s largest high school exam system, CBSE, and was able to see and change any student’s marks.”Das added that the researcher responsibly disclosed the vulnerabilities months ago and claimed that “not much has changed” despite previous warnings about similar flaws in CBSE systems.CERT-In was notified, the website was subsequently taken offline.Adhikari said he reported the vulnerabilities to CERT-In and received an acknowledgment reference number. According to his blogonly some issues were initially fixed.“Most of the vulnerabilities I’ve reported have gone undetected for a long time,” he wrote.Shortly after the claims went online, the OSM portal became temporarily inaccessible, with users reporting that the website had gone offline.Disclaimer: Claims regarding vulnerabilities in CBSE’s On Screen Marking (OSM) portal are based on the statements of cyber security researcher Nisarga Adhikari and publicly available information. CBSE has not officially confirmed the extent or impact of the alleged security flaws at the time of publication. CBSE and CERT-answers, if any, will be updated as soon as available.
