Last Updated:May 26, 2026, 20:31 IST

CBSE says that a URL mentioned in social media posts on the ‘hacking’ incident was only a testing platform containing sample data and not the portal used for actual assessment work

CBSE’s On-Screen Marking process to evaluate Class 12 students led to a massive controversy. (File Photo)

The Central Board of Secondary Education (CBSE) has been hit by a fresh digital storm after a 19-year-old cybersecurity researcher, Nisarga Adhikary, claimed to have revealed critical vulnerabilities within the board’s newly introduced On-Screen Marking (OSM) portal. The disclosures, documented in a comprehensive technical blog post and widely shared across social media networks, claim that the flaws could have allowed unauthorised actors to bypass basic verification filters, take complete control of examiner accounts, and potentially alter the marks of over two million Class 12 students.

The security concerns are aggravated by a troubling timeline. Adhikary stated that he discovered the structural flaws on February 25, 2026, and immediately reported his findings to the Indian Computer Emergency Response Team (CERT-In), receiving a formal acknowledgement reference number. However, despite the responsible disclosure, the independent researcher alleged that several severe flaws remained completely unpatched for months, prompting widespread scrutiny over the digital preparedness and response protocols of the national education board.

The board, though, has said that a URL mentioned in social media posts on the “hacking” incident was only a testing platform containing sample data and not the portal used for actual assessment work.

The Master Password and Broken Client-Side Architecture

According to the technical breakdown published by Adhikary, the absolute core of the vulnerability lies in fundamental oversights in the portal’s frontend architecture. While inspecting the website, the teenager discovered a hardcoded “master password” sitting openly inside a publicly accessible JavaScript bundle shipped directly to every visitor’s browser. Rather than utilising a secure token reference, the literal password string was fully visible inside the client-side code.

With this master password, an outside actor could completely bypass the platform’s One-Time Password (OTP) verification system. To hijack a specific examiner’s account, an attacker simply needed a target user ID and a school code—both of which are easily obtainable through public domains. Furthermore, the portal’s Angular-based framework suffered from non-existent route protection. By inserting dummy variables directly into the browser storage, pages like internal dashboards, profiles, and script verification panels could be forced open, rendering the login requirements effectively useless.

Systemic Flaws and Global Account Takeovers

The exploitation of the system did not stop at unauthorised logins. The researcher says he also identified a systemic Insecure Direct Object Reference (IDOR) vulnerability. By simply modifying the stored user IDs within the developer tools of a standard browser, an external user could effortlessly switch between different examiner profiles, viewing and modifying digital marksheets without needing credentials or insider clearance.

The teen pointed out that the entire validation process was structurally compromised because “the browser was essentially grading its own test”. Implementing high-level security controls that run directly on an attacker’s machine instead of a secure backend server represents a major violation of baseline digital safety principles, turning the assessment platform into an open target.

Escalating Scrutiny Over Digital Overhauls

The fallout from these disclosures comes at a deeply inconvenient moment for CBSE, which has faced a barrage of complaints from families regarding post-result discrepancies, blurred digital answer sheet scans, and mismatched roll numbers.

The controversy gained immense traction after prominent software engineer Deedy Das amplified the blog on X, describing the situation as an absolute embarrassment for a country managing millions of student futures.

CBSE Frameworks and Server-Side Realities

In response to the escalating traction surrounding these claims, senior officials within the Ministry of Education and CBSE IT cells have maintained that the board’s core database architecture remains completely uncompromised. While acknowledging that the front-end portal link was temporarily taken offline for standard security optimisation, technical administrators emphasised that student evaluation logs, master ledger entries, and final results are housed on highly encrypted, multi-tier backend servers that do not rely on client-side authentication.

Government sources close to CERT-In also noted that once the initial vulnerability advisory was received in late February, a standard patching protocol was deployed to isolate the application layers. They reiterated that the national examination framework features rigorous air-gapped backups and strict manual verification multi-checks, ensuring that no external digital injection could permanently alter a student’s certified academic record without triggering immediate automated security flags.

Read More