The Central Board of Secondary Education (CBSE) is facing a new controversy over its On-Screen Marking (OSM) system, as a 19-year-old cybersecurity researcher claims to have discovered multiple critical vulnerabilities that could allow unauthorized access to examiner accounts and even modification of students' marks.
Teen Researcher Alleges Security Flaws
Nisarga Adhikary, a cybersecurity researcher, detailed his findings in a technical blog post titled “Exposing Critical Vulnerabilities in CBSE’s On-Screen Marking Portal.” He stated that he discovered the issues on February 25 and reported them to CERT-In before making them public. According to Adhikary, he was able to log in as an examiner and reach the evaluation dashboard, where he could view and edit marks.
The alleged vulnerabilities include a hardcoded master password visible inside the portal’s JavaScript bundle, client-side OTP validation, missing route protections, password reset flaws, and a systemic IDOR vulnerability. Adhikary noted that the hardest part was not exploitation but reading a JavaScript file and editing a couple of values in DevTools. He also claimed that OTP verification was effectively meaningless because the browser grades its own test, stating that a security control that runs on the attacker’s machine is not a control at all.
Growing Scrutiny of OSM Rollout
This controversy comes days after CBSE admitted that a Delhi student, Vedant Shrivastava, had received another student’s Physics answer sheet under his roll number due to a technical error in the OSM-linked scanning process. The board acknowledged the mistake and sent the correct answer sheet to the student. The OSM system was introduced for Class 12 evaluations this year as part of CBSE’s push towards digital assessment and faster post-result processing.
Reacting to Adhikary’s findings on X, software engineer Deedy Das wrote: “A 19-year old broke into India’s largest high school examination system of 2M+ students a year, the CBSE, and was able to view and CHANGE any students’ marks.” Das added that the researcher had responsibly disclosed the vulnerabilities months earlier and claimed that not much has changed despite previous warnings about similar flaws in CBSE systems.
CERT-In Informed, Website Taken Offline
Adhikary reported the vulnerabilities to CERT-In and received an acknowledgement reference number. According to his blog, only some issues were fixed initially, with most vulnerabilities remaining unpatched for a long time. Soon after the claims gained traction online, the OSM portal became inaccessible temporarily, with users reporting that the website had been taken offline.
Disclaimer: The claims regarding vulnerabilities in CBSE’s On-Screen Marking (OSM) portal are based on statements made by cybersecurity researcher Nisarga Adhikary and publicly available information. CBSE has not officially confirmed the extent or impact of the alleged security flaws at the time of publication. CBSE and CERT-In responses, if any, will be updated as they become available.
