CBSE rejects OSM breach claims. But did 19-year-old Nisarga Adhikary really hack marking portal?

WHile allay in the thick of eumenides from students on the On test grading (OSM) system for Class 12 board exams, the Central Board of Secondary Education (CBSE) found itself at the centre of another controversy recently, with a teen claiming to have “hacked” its portal.A 19-year-old “hobbyist cybersecurity researcher” Nisarga Adhikary is behind the big claims, following which the CBSE also released a clarification on Tuesday, rejecting claims that its marking platform had been compromised.A senior official from the ministry of electronics and information technology (IT) of India told Hindustan Times that CERT-In (the Indian Computer Emergency Response Team) is looking into the matter and raised it with CBSE, while also suggesting measures to fix the issues, which they later undertook to complete. The response was to queries about the action taken following Nisarga's disclosure to CERT-In about alleged loopholes in February. Notably, CBSE had introduced the OSM system for the assessment of Class 12 Board examinations in February this year. Under this method, answer sheets are scanned digitally and checked online. According to the education board, this helps avoid tallying errors and reduces manual involvement.What is the ‘hacking’ claim controversy?Nisarga Adhikary, a 19-year-old cybersecurity hobby researcher who completed his Class 12 examinations this year, claimed he had hacked the CBSE website and identified serious lapses in the OSM system.Although his X post dated May 22 initially received little attention, technology entrepreneur Deedy Das later noticed it and shared it on his own account. Das described it as "an absolute embarrassment" and claimed that the flaws could have enabled someone to "view and CHANGE any students' marks". In a detailed blog post published on his website and also shared on X, Nisarga said he had identified several major security flaws in CBSE's OSM portal in February and reported them to CERT-In.However, he claimed that many of the issues he flagged remained unresolved for a considerable period.‘What I found inside was horrible’Nisarga said the website's main page looked normal at first glance, but the issues began appearing after he examined the underlying code. According to his blog, the deeper he investigated the system, the more serious the alleged problems appeared."Like most modern single-page apps, the portal is an Angular application that ships its entire frontend logic in one bundled, minified JavaScript file. The browser downloads this file and runs it locally to render every screen of the app. Anyone can request it, logged in or not. So I pretty-printed it and started reading. What I found inside was horrible," the 19-year-old wrote.One of his major claims involved what he called a hard-coded "master password" that was allegedly visible in a publicly accessible JavaScript bundle used by the website.A "master password" flaw would mean the website contained a universal secret password hidden in its code. If someone discovered it, they could sign in as any examiner without requiring the OTP sent to a teacher's mobile phone.He said that the password was allegedly visible directly in the website's front-end code. According to him, once the master password was entered in the login page, the application automatically completed the OTP field and skipped the usual authentication process. He also said there was no second-layer check or server verification requirement.He said that logging in as a specific examiner would allegedly require only:A target user's ID and school code, both publicly available.The master password stored in a JavaScript file accessible to anyone.“With those, I was able to log in as an examiner (bypassing the OTP/2FA flow totally) and reach the evaluation dashboard, where I could view and edit marks,” he wrote.Flaws in OTP system as well?According to the blog, he also alleged major problems within the OTP system."When one triggers authentication, the server sends the OTP back inside the auth response, and the JavaScript running in the browser compares what one typed against that value locally before letting you through," he wrote.Simply put, he said that the OTP itself was being returned in the server response, while the browser separately checked if the entered OTP matched it.“The secret you're supposed to prove you received is handed straight to your browser, and the browser grades its own test,” he said.This would mean that anyone checking network requests could allegedly see the OTP directly, according to him. Since the comparison process reportedly happened in client-side code, he claimed someone could bypass the form entirely and tell the application that the check had succeeded.“A security control that runs on the attacker's machine isn't a control at all,” he wrote, a statement that caught the attention of cybersecurity experts. Another big claim: ‘Whole app is walk-in’Suddenly, passwords and OTPs were not the only issues with the system, the blog claimed.Nisarga claimed several internal sections of the Angular-based application allegedly lacked proper route security.He alleged that pages such as "/dashboard", "/profile", "/evalscriptsview" and "/verificationdashboard" could be opened simply by inserting dummy values into browser storage."The only thing standing between an anonymous visitor and an internal page was a default redirect to /login, and that's trivial to defeat," he said.He further claimed that the system's password reset process did not verify an existing password before permitting a change. "The current password is never verified."He alleged that combining this issue with what he described as a "systemic IDOR vulnerability" could enable attackers to take over examiner accounts by modifying stored IDs. "That's a complete account takeover, with no credentials and no insider access," he wrote.He claimed an attacker could then enter the victim's account, access assigned answer sheets and make changes to marks.CBSE reacts to hacking claimsReacting to the allegations, CBSE said the portal used for checking answer sheets had a different URL from the one shown in the teenager's screenshots.CBSE said the alleged issues flagged by him came from a "testing site"."At the outset, it is clarified that the Portal used for evaluation of answer-books bore a different URL, which has neither been compromised nor does it have the vulnerabilities indicated in the said social media post. The URL: http://cbse.onmark.co.in is the testing site only with sample data for internal testing and review purposes," the board said in a post on X. The board said no security breach had been identified in the OSM portal used for the actual evaluation process.