‘No security breach’: CBSE clarifies after Class 12 student claims ‘vulnerabilities’ in OSM portal

THe exchange room of Secondary breeding (CBSE) on tues rubbished reports claiming john major vulnerabilities with the agency's On Screen Marking (OSM). The reports were based on claims made by a 19-year-old ‘hacker’ alleging “vulnerabilities” on social media.Nisarga Adhikary, a 19-year-old hobbyist cybersecurity researcher who finished his Class 12 exams this year, claimed to have hacked the CBSE website and found severe loopholes in the OSM system. While his post on X, dated May 22, did not attract much attention earlier, tech entrepreneur Deedy Das spotted and re-shared it on his handle.However, CBSE said that the URL seen on Adhikary's screenshots is different than the actual OSM portal's URL. The board said that the teen found the alleged issues on a testing site.What happened?"A 19-year old broke into India's largest high school examination system of 2M+ students a year, the CBSE, and was able to view and CHANGE any students' marks," Deedy Das wrote on X.In a lengthy blog post, Adhikary claimed that despite reporting the vulnerabilities to CERT-In on time, the education board did not fix them.ALSO READ | CBSE admits answer sheet mix-up after Class 12 student trolled online, called ‘Pakistani’"He responsibly wrote to the team 3 months ago, and it took them 3 days to fix only one of the issues. Today, they took the entire website down," Das said, calling the situation an "absolute embarrassment". CBSE respondsResponding to Adhikary's claims, CBSE clarified that the portal used for evaluation answer sheets has a different URL than the one visible on the teenager's screenshots. They said the alleged issues that Adhikary claims to have found were from a "testing site"."At the outset, it is clarified that the Portal used for evaluation of answer-books bore a different URL, which has neither been compromised nor does it have the vulnerabilities indicated in the said social media post. The URL: http://cbse.onmarks.co.in is the testing site only with sample data for internal testing and review purposes," CBSE said in a post on X. The education board affirmed that no security breaches have come to light on the OSM portal deployed for the actual evaluation work.CBSE further stated that the OSM system was implemented for enhanced transparency in evaluation, "with strong grievance redressal mechanisms built into it."ALSO READ | Vedant Shrivastava's brother credits 'online' support for CBSE apology in marking rowThe central board assured that the application's strong safeguards will ensure the integrity of the platform actually deployed, with regard to any vulnerabilities.Class 12 students' claims on OSM portalNisarga Adhikary said in his blog post that he was poking around on the newly-launched OSM portal when he found "severe vulnerabilities...that could lead to full account takeover of examiner accounts.""I've done bug bounty and security work for fun before, so when CBSE rolled out OSM, and I noticed the portal link was completely public, my curiosity got the better of me," Adhikary wrote.What is OSMCBSE introduced On-Screen Marking (OSM) for Class 12 Board examinations from 2026. Under the OSM system, answer books are digitally scanned and evaluated online, which the education board says eliminates tally errors and reduces manual intervention.The system also enables faster evaluation, according to CBSE.'What I found inside was horrible'Nisarga Adhikary said while the main landing page appeared fine on the surface, problems showed up only once he started looking at the code behind it."Like most modern single-page apps, the portal is an Angular application that ships its entire frontend logic in one bundled, minified JavaScript file. The browser downloads this file and runs it locally to render every screen of the app. Anyone can request it, logged in or not. So I pretty-printed it and started reading. What I found inside was horrible," the 19-year-old wrote.ALSO READ | Parliament panel to review CBSE marking, NEET and language policyAdhikary then listed the alleged "vulnerabilities" he found in the OSM portal.Hardcoded master password: He claimed that a "hardcoded master password" was sitting in the frontend bundle's plain text."Not a hash, not a token reference, but the literal password string, baked directly into the client-side JavaScript that gets shipped to every visitor's browser," Adhikary wrote.Due to this issue, Adhikary said that an attacker would only need a target's user ID and school code -- which are publicly obtainable -- and the master password, which is sitting in a JS file anyone can download.OTP issue: Nisarga Adhikary alleged that the OTP step was also a "pure theatre"."When you trigger authentication, the server sends the OTP back inside the auth response, and the JavaScript running in your browser compares what you typed against that value locally before letting you through," Adhikary wrote in his blog post.ALSO READ | Expert team from IITs formed to help CBSE in portal issues"The secret you're supposed to prove you received is handed straight to your browser, and the browser grades its own test," he added.A walk-in app: The teen further claimed that the app's routing has no protection. According to Adhikary, the only thing standing between an anonymous visitor and an internal page was a "default redirect to login".Changing password: Adhikary alleged that a user could change their password, but the "old password variable" still remains in the component."The current password is never verified. Whatever ValuatorID you put in the body gets its password reset to whatever you choose. On its own that's bad. Combined with the next issue, it's catastrophic," he added.Server trusts whatever ID: Nisarga Adhikary claimed that the app server trusts whatever ID the client sends, instead of deriving it from the authenticated session."That makes this an Insecure Direct Object Reference (IDOR) vulnerability at the architectural level. It's not one broken endpoint. Practically every POST request in the service is affected. Change the ID in storage and the app acts as that user for any operation it offers," he said.ALSO READ | IIT Kanpur, Madras teams to assist CBSE for ‘glitch-free’ re-evaluation processHe said that IDOR allows an attacker to act as any examiner by editing a single value in your browser.He summarised all the issues in five simple points: Reported issue on February 2026Adhikary claimed he reported all the problems he found to the Indian Computer Emergency Response Team (CERT-In) in February, 2026, as shown in a screenshot he added on his blog post. He claimed that CERT-In responded to him, asking for more details, so he sent them a detailed screen recording.“Their response was a boilerplate acknowledgement: Dear Sir, Thank you for reporting this incident to CERT-In. That makes this an Insecure Direct Object Reference (IDOR) vulnerability at the architectural level. It's not one broken endpoint. Practically every POST request in the service is affected. Change the ID in storage, and the app acts as that user for any operation it offers.”He claimed to have followed up several times with the authority, but he never heard back.Adhikary said the lesson from these issues is that "it's that the client cannot be trusted, ever."Nisarga Adhikary said that for a basic platform, such as the OSM portal, which is entrusted with the integrity of national board examinations, "the basics are the least we expect"