‘Weak Defences’: Class 12 Ethical Hacker Claims It Took Only A Few Minutes To Hack CBSE OSM System
A blog post by 19-year-old cybersecurity researcher Nisarga Adhikary alleging serious weaknesses in CBSE’s On-Screen Marking portal is sparking concern online, especially after entrepreneur Deedy Das highlighted the claims on X. The alleged flaws involve systems used for evaluating scanned board exam answer sheets and handling sensitive marks data.
The controversy emerges while many CBSE students complain about portal crashes, blurred answer sheet images, shifting revaluation deadlines and alleged marking errors. At a time when trust in digital evaluation is already strained, fresh questions are being raised about how safely CBSE manages board exam marks online.
AI-generated summary, reviewed by editors
CBSE On-Screen Marking portal security issues surface during chaotic result phase
The allegations gain extra traction because this is among CBSE’s most turbulent post-result periods in recent years. Lakhs of students depend on accurate and secure scores for admissions, scholarships and cutoffs, so any possibility of unauthorised mark changes alarms parents, teachers and aspirants across India and abroad.
CBSE has not, at the time of writing, publicly confirmed the blog’s claims or stated whether any student’s marks were actually altered. The board has also not issued a detailed technical clarification on the On-Screen Marking portal, leaving much of the public discussion driven by the researcher’s account.
Teen researcher’s claims about CBSE On-Screen Marking portal draw national attention
According to Nisarga’s blog, the story begins in February with curiosity about CBSE’s newly rolled-out On-Screen Marking, known as OSM. Nisarga writes that the evaluation portal link appeared completely public, so the researcher opened the site and started examining what was happening behind the login interface.
The OSM platform is used by evaluators to check scanned answer scripts online instead of marking physical papers. Examiners log in, view digital copies of students’ sheets and assign marks through the system, which then stores sensitive evaluation data that directly affects board results.
Alleged master password and OTP flaws in CBSE On-Screen Marking portal
Nisarga claims the login form for the CBSE On-Screen Marking portal looks normal at first glance. It requests a user ID, school code and password, followed by a one-time password step. According to the blog, the real issues only appear once someone inspects the code and network traffic behind that page.
In what the researcher describes as one of the most serious lapses, a so-called master password was allegedly found hardcoded inside a publicly served JavaScript bundle. That file is delivered to every visitor’s browser, logged in or not, and can be opened and read using standard developer tools.
Nisarga writes: "That bundle is served publicly. Anyone can request it, logged in or not. So I pretty-printed it and started reading. What I found inside was horrible." The blog alleges that the literal password string appeared directly in the client-side JavaScript code.
The post states: "Not a hash, not a token reference, but the literal password string, baked directly into the client-side JavaScript that gets shipped to every visitor's browser." Nisarga claims that using this password reportedly bypassed the OTP requirement and granted access to examiner accounts on the CBSE On-Screen Marking portal.
How CBSE On-Screen Marking portal allegedly handled OTP and logins
According to Nisarga, an attacker would only need a target examiner’s user ID and school code to exploit the alleged master password, and both identifiers are described as publicly obtainable. The blog suggests this combination could grant unauthorised login to examiner dashboards on the CBSE On-Screen Marking portal.
The researcher further alleges that the OTP mechanism itself was weak. Nisarga writes: "The OTP step turned out to be pure theatre." The blog claims the OTP value was sent back in the server response, and the browser then checked whether the entered code matched, instead of the server handling verification securely.
Nisarga describes the situation this way: "The secret you're supposed to prove you received is handed straight to your browser, and the browser grades its own test." By watching network requests, a user could allegedly see the OTP value directly and even skip the normal form altogether through client-side changes.
The post explains that because the comparison happens in client-side code, someone could simply instruct the application that the OTP check succeeded. One widely shared line from the blog states: "A security control that runs on the attacker's machine isn't a control at all."
Beyond login: broader CBSE On-Screen Marking portal vulnerabilities claimed
The alleged problems in the CBSE On-Screen Marking portal were not limited to passwords and OTPs, according to the blog. Nisarga claims several internal routes inside the Angular-based application lacked proper protection. These routes appeared to assume trust once a token existed in the browser’s storage.
The blog states that paths such as "/dashboard", "/profile", "/evalscriptsview" and "/verificationdashboard" could allegedly be opened by placing fabricated values into local storage. Nisarga writes that after adding a fake token and invented user details through browser console commands, the application continued as though a valid login had occurred.
The post summarises this behaviour with: "The token is fake, the user is invented, and the app doesn't care." Another issue described involves the password reset flow. Nisarga alleges that the reset process did not verify the current password before approving a new one for CBSE On-Screen Marking portal accounts.
According to the blog, "The current password is never verified." Nisarga then links this to what is called a "systemic IDOR vulnerability", claiming attackers could alter stored IDs and impersonate examiners. The blog concludes that this combination could allow "a complete account takeover, with no credentials and no insider access."
Key flaws and effects described in CBSE On-Screen Marking portal blog
The blog outlines the alleged issues in the CBSE On-Screen Marking portal in several broad categories, summarised below based on Nisarga’s descriptions.
| Alleged issue | Effect described |
|---|---|
| Hardcoded master password in JavaScript | Bypasses OTP and grants examiner access using public IDs |
| Client-side OTP validation | OTP visible in responses; browser confirms its own code |
| Unprotected internal routes | Dashboard pages open with fake tokens in local storage |
| Password reset without old password check | Allows account changes without confirming existing password |
| Alleged IDOR in account identifiers | Enables potential impersonation of examiner accounts |
Reporting process and response around CBSE On-Screen Marking portal
One reason the case is attracting debate is the timeline Nisarga describes. The researcher says the vulnerabilities were reported to CERT-In soon after discovery in February, months before the blog became widely discussed. The initial disclosure reportedly focused on the master password and client-side OTP checks.
Nisarga writes: "My first email laid out the master-password leak and the client-side OTP validation." According to the blog, CERT-In later requested additional technical information and a screen recording. In response, Nisarga claims to have sent walkthrough videos showing the authentication bypass and related issues in the CBSE On-Screen Marking portal.
The researcher then received a standard acknowledgement email which read: "Thank you for reporting this incident to CERT-In. We have registered your complaint/incident under Ref: CERTIn-XXXXX." Nisarga alleges that after several follow-up attempts, there were no further detailed updates regarding fixes or timelines.
The blog comments on this with frustration, stating: "It's honestly funny that most of the vulnerabilities I reported went unpatched for a long time, when I'd have fixed them in an hour or two if they were mine to fix." This claim has also fed online criticism about institutional responses to security reports.
Deedy Das amplifies CBSE On-Screen Marking portal concerns on X
For several months, discussion of the CBSE On-Screen Marking portal blog remained within limited cybersecurity circles. That changed when tech entrepreneur Deedy Das shared the story on X on May 26, bringing it to a much larger audience including students, educators and policy watchers.
Das called the situation "an absolute embarrassment" and alleged that the vulnerabilities could have allowed someone to "view and CHANGE any students' marks". The strong language quickly drew attention and prompted extensive quote-tweeting and replies, with many users expressing concern about result integrity.
Explaining personal interest, Das wrote: "This topic is close to me because not only is this the education system I went through, but 12 years ago and silently for 5yrs since, I'd written about and reported a much less severe vulnerability." Das also praised the young researcher’s skills in the CBSE On-Screen Marking portal case.
One line from Das’ post drew particular notice: "If there's any light at the end of the tunnel, it's that a 19yo who never went to college can do things 99% of top engineers couldn't figure out." The remarks led to debates about cybersecurity education and hiring standards in public sector technology projects.
Public reactions and trust issues around CBSE On-Screen Marking portal
Replies under Das’ thread on X reflected a mix of outrage, worry and caution. One user wrote: "The code bug is bad. The response bug is worse." Another commented: "A teenager found what institutions missed for years." Many users connected the CBSE On-Screen Marking portal issue to wider exam-related concerns.
People referenced paper leaks, cancelled tests, technical failures and difficulties using revaluation portals across different agencies. Some argued that repeated controversies involving exam technology are eroding confidence in digital processes that control high-stakes outcomes for students. Others urged restraint until CBSE or an independent body verifies the claims.
Several users stressed that while the alleged vulnerabilities sound serious, there is not yet public proof that any marks were actually manipulated through the CBSE On-Screen Marking portal. They called for transparent audits that could either confirm or refute the possibility of tampering without causing unnecessary panic.
Why CBSE On-Screen Marking portal security matters for millions
CBSE works with more than 33,000 affiliated schools in India and several hundred abroad. Its examinations affect millions of students each year, making the reliability and security of evaluation systems like the On-Screen Marking portal a major public interest issue rather than a niche technical detail.
For candidates, board marks influence college admissions, scholarship chances, competitive exam eligibility and early career options. Families often plan finances and expectations around these scores. Any suggestion that marks could be viewed or altered without authorisation therefore hits a sensitive nerve for students and guardians alike.
This situation also develops against a broader backdrop of controversy around examinations in India. Allegations of leaks, scheduling problems and digital glitches have already caused anxiety in several recruitment and academic tests. The CBSE On-Screen Marking portal debate adds another layer to ongoing discussions about how securely educational data is handled.
Nisarga ends the blog by stressing that the CBSE On-Screen Marking portal issues described do not depend on exotic hacking methods. The post notes: "These aren't advanced defences. They're the basics." For many readers, that closing remark underlines concerns that fundamental cybersecurity practices need closer attention in high-stakes education systems.
Click it and Unblock the Notifications
Sign in with Google