‘Absolute embarrassment’: Teen researcher’s claims put CBSE under scanner

The Central Board of Secondary Education has found itself facing fresh scrutiny after a 19-year-old cybersecurity researcher claimed to have uncovered major vulnerabilities in the board’s online answer-sheet evaluation system.

The controversy revolves around the board’s newly introduced On Screen Marking (OSM) system for Class 12 board examinations, under which answer sheets are scanned digitally and evaluated online.

Cybersecurity hobby researcher Nisarga Adhikary alleged in a blog post and social media thread that he had identified serious security flaws in the system earlier this year and reported them to India’s computer emergency response agency, CERT-In.

Also Read | Why CBSE’s 3-language policy is facing heat from students and teachers

The claims gained wider attention after technology entrepreneur Deedy Das reshared the allegations online, describing the situation as “an absolute embarrassment” and suggesting the flaws could have allowed attackers to access or modify student marks.

What the researcher claimed

According to Adhikary, the vulnerabilities were discovered while examining publicly accessible JavaScript files linked to the OSM platform.

In his blog, he alleged that the system contained a hard-coded “master password” visible within front-end website code, which could allegedly allow login access without completing standard OTP verification.

“With those, I was able to log in as an examiner,” he wrote, claiming he could access evaluation dashboards and edit marks. The researcher also alleged that OTP verification checks were being handled on the user’s browser side rather than through secure server-side authentication, potentially exposing verification codes through network requests.

He further claimed that several internal pages of the application lacked proper access restrictions and could allegedly be opened using modified browser storage values. Another allegation involved the password reset system, which he claimed did not verify existing passwords before allowing changes

The blog post quickly circulated across social media platforms and cybersecurity communities, especially as students were already criticising the OSM system over evaluation-related concerns.

CBSE denies breach claims

Responding to the controversy, CBSE issued a clarification rejecting claims that its actual evaluation portal had been compromised.

The board said the URL shown in the screenshots shared online belonged to a testing website containing sample data and not the live platform used for checking answer sheets.

“The URL is the testing site only with sample data for internal testing and review purposes,” CBSE said in its statement on X. The board maintained that no security breach had been identified in the operational OSM portal used during the real evaluation process.

CERT-In reviewing matter

A senior official from CERT-In told Hindustan Times that the agency had reviewed the matter after Adhikary reported the alleged flaws earlier this year and had suggested corrective measures to CBSE.

According to the report, CERT-In had also raised the issue directly with the education board.

Also Read | ‘We are not Pakistani’: CBSE admits answer sheet error after student Vedant Shrivastava faces online trolling

The episode has once again highlighted growing concerns around cybersecurity standards in large-scale educational technology systems, especially those handling sensitive student data and examination records.

It has also sparked debate around responsible vulnerability disclosure, public transparency and digital infrastructure preparedness as more Indian education systems move towards online operations.