...
...
Next Story

‘No security breach’: CBSE clarifies after Class 12 student claims ‘vulnerabilities’ in OSM portal

CBSE clarified that the portal used for evaluation answer sheets has a different URL than the one visible on the teenager's screenshots.

Updated on: May 27, 2026 06:50 AM IST
Advertisement

The Central Board of Secondary Education (CBSE) on Tuesday rubbished reports claiming major vulnerabilities with the agency's On Screen Marking (OSM). The reports were based on claims made by a 19-year-old ‘hacker’ alleging “vulnerabilities” on social media.

CBSE further stated that the OSM system was implemented for enhanced transparency in evaluation, "with strong grievance redressal mechanisms built into it." (AI-generated image)
CBSE further stated that the OSM system was implemented for enhanced transparency in evaluation, "with strong grievance redressal mechanisms built into it." (AI-generated image)

Nisarga Adhikary, a 19-year-old hobbyist cybersecurity researcher who finished his Class 12 exams this year, claimed to have hacked the CBSE website and found severe loopholes in the OSM system. While his post on X, dated May 22, did not attract much attention earlier, tech entrepreneur Deedy Das spotted and re-shared it on his handle.

However, CBSE said that the URL seen on Adhikary's screenshots is different than the actual OSM portal's URL. The board said that the teen found the alleged issues on a testing site.

What happened?

"A 19-year old broke into India's largest high school examination system of 2M+ students a year, the CBSE, and was able to view and CHANGE any students' marks," Deedy Das wrote on X.

ALSO READ | CBSE admits answer sheet mix-up after Class 12 student trolled online, called ‘Pakistani’

"He responsibly wrote to the team 3 months ago, and it took them 3 days to fix only one of the issues. Today, they took the entire website down," Das said, calling the situation an "absolute embarrassment".

Adhikary claimed he reported the issues to CERT-In three months ago.

CBSE responds

Responding to Adhikary's claims, CBSE clarified that the portal used for evaluation answer sheets has a different URL than the one visible on the teenager's screenshots. They said the alleged issues that Adhikary claims to have found were from a "testing site".

"At the outset, it is clarified that the Portal used for evaluation of answer-books bore a different URL, which has neither been compromised nor does it have the vulnerabilities indicated in the said social media post. The URL: http://cbse.onmark.co.in is the testing site only with sample data for internal testing and review purposes," CBSE said in a post on X.

The education board affirmed that no security breaches have come to light on the OSM portal deployed for the actual evaluation work.

CBSE further stated that the OSM system was implemented for enhanced transparency in evaluation, "with strong grievance redressal mechanisms built into it."

ALSO READ | Vedant Shrivastava's brother credits 'online' support for CBSE apology in marking row

The central board assured that the application's strong safeguards will ensure the integrity of the platform actually deployed, with regard to any vulnerabilities.

Class 12 students' claims on OSM portal

Nisarga Adhikary said in his blog post that he was poking around on the newly-launched OSM portal when he found "severe vulnerabilities...that could lead to full account takeover of examiner accounts."

"I've done bug bounty and security work for fun before, so when CBSE rolled out OSM, and I noticed the portal link was completely public, my curiosity got the better of me," Adhikary wrote.

What is OSM

CBSE introduced On-Screen Marking (OSM) for Class 12 Board examinations from 2026. Under the OSM system, answer books are digitally scanned and evaluated online, which the education board says eliminates tally errors and reduces manual intervention.

The system also enables faster evaluation, according to CBSE.

'What I found inside was horrible'

Nisarga Adhikary said while the main landing page appeared fine on the surface, problems showed up only once he started looking at the code behind it.

"Like most modern single-page apps, the portal is an Angular application that ships its entire frontend logic in one bundled, minified JavaScript file. The browser downloads this file and runs it locally to render every screen of the app. Anyone can request it, logged in or not. So I pretty-printed it and started reading. What I found inside was horrible," the 19-year-old wrote.

ALSO READ | Parliament panel to review CBSE marking, NEET and language policy

Adhikary then listed the alleged "vulnerabilities" he found in the OSM portal.

Hardcoded master password: He claimed that a "hardcoded master password" was sitting in the frontend bundle's plain text.

"Not a hash, not a token reference, but the literal password string, baked directly into the client-side JavaScript that gets shipped to every visitor's browser," Adhikary wrote.

Due to this issue, Adhikary said that an attacker would only need a target's user ID and school code -- which are publicly obtainable -- and the master password, which is sitting in a JS file anyone can download.

OTP issue: Nisarga Adhikary alleged that the OTP step was also a "pure theatre".

"When you trigger authentication, the server sends the OTP back inside the auth response, and the JavaScript running in your browser compares what you typed against that value locally before letting you through," Adhikary wrote in his blog post.

ALSO READ | Expert team from IITs formed to help CBSE in portal issues

"The secret you're supposed to prove you received is handed straight to your browser, and the browser grades its own test," he added.

A walk-in app: The teen further claimed that the app's routing has no protection. According to Adhikary, the only thing standing between an anonymous visitor and an internal page was a "default redirect to login".

Changing password: Adhikary alleged that a user could change their password, but the "old password variable" still remains in the component.

"The current password is never verified. Whatever ValuatorID you put in the body gets its password reset to whatever you choose. On its own that's bad. Combined with the next issue, it's catastrophic," he added.

Server trusts whatever ID: Nisarga Adhikary claimed that the app server trusts whatever ID the client sends, instead of deriving it from the authenticated session.

"That makes this an Insecure Direct Object Reference (IDOR) vulnerability at the architectural level. It's not one broken endpoint. Practically every POST request in the service is affected. Change the ID in storage and the app acts as that user for any operation it offers," he said.

ALSO READ | IIT Kanpur, Madras teams to assist CBSE for ‘glitch-free’ re-evaluation process

He said that IDOR allows an attacker to act as any examiner by editing a single value in your browser.

He summarised all the issues in five simple points:

Nisarga Adhikary summarised the vulnerabilities he found in the OSM portal.

Reported issue on February 2026

Adhikary claimed he reported all the problems he found to the Indian Computer Emergency Response Team (CERT-In) in February, 2026, as shown in a screenshot he added on his blog post.

Adhikary claimed he followed up several times afterwards, but never heard back from the authorities.

He claimed that CERT-In responded to him, asking for more details, so he sent them a detailed screen recording.

“Their response was a boilerplate acknowledgement: Dear Sir, Thank you for reporting this incident to CERT-In. That makes this an Insecure Direct Object Reference (IDOR) vulnerability at the architectural level. It's not one broken endpoint. Practically every POST request in the service is affected. Change the ID in storage, and the app acts as that user for any operation it offers.”

He claimed to have followed up several times with the authority, but he never heard back.

Adhikary said the lesson from these issues is that "it's that the client cannot be trusted, ever."

Nisarga Adhikary said that for a basic platform, such as the OSM portal, which is entrusted with the integrity of national board examinations, "the basics are the least we expect"

 
ABOUT THE AUTHOR
Asmita Ravi Shankar

Asmita Ravi Shankar is a Senior Content Producer at Hindustan Times, based in New Delhi. She covers breaking news and focuses on crime, geopolitics, and the domestic political landscape. She has an eye for the intricacies in criminal investigations and a keen interest in how diplomacy and complexities affect politics, within India and globally. She has written extensively about Operation Sindoor, the Iran-US conflict, elections in India, Trump tariffs and diplomacy. Asmita also engages in multimedia storytelling, using interactive elements to enhance readers' news experience and build a high-traffic news ecosystem. With nearly three years of experience in the journalism industry, Asmita has been with HT for a little over a year. She has previously worked with online news teams at Outlook India and Network18, covering a wide range of beats and building her specialisation. In HT, she has been recognised for her comprehensive reportage and her contribution to coverage of the Bihar assembly election results, having single-handedly driven over 2 million users on that day. Asmita earned a bachelor's degree in journalism from Delhi College of Arts and Commerce, the University of Delhi. She went on to earn a postgraduate diploma in integrated journalism from the Asian College of Journalism, sharpening her skills in multimedia storytelling, editing and sourcing to enrich her reportage. Additionally, Asmita holds a degree in Bharatanatyam from the Pracheen Kala Kendra. She is also a teacher of the Indian classical dance form. When not working on news, Asmita can be found dancing, binge-watching true crime docu-series, cooking and exploring various genres of music.

Follow India news real-time updates and the latest news covered on Hindustan Times, featuring today's critical updates on Sonam Wangchuk LIVE and more across India.
Follow India news real-time updates and the latest news covered on Hindustan Times, featuring today's critical updates on Sonam Wangchuk LIVE and more across India.
SHARE THIS ARTICLE ON
Hindustantimes wants to start sending you push notifications. Click allow to subscribe