CBSE test website had 'master password' that could be used to tamper marks, claims 'hacker' Nisarga Adhikary

A19-year-old who identifies himself as a cybersecurity researcher has claimed that single of telephone exchange room of Secondary breeding’s (CBSE) On-Screen scoring (OSM) test website contained a hard-coded “master password” that could allegedly be used to bypass OTP verification, log into examiner accounts and even tamper with students’ marks.The claims were made by Nisarga Adhikary, who told Hindustan Times that he discovered the alleged vulnerability while examining the backend code of the OSM test site introduced this year for Class 12 board examinations.CBSE, however, has denied that the actual evaluation portal was compromised, saying the vulnerabilities highlighted by the teenager related only to a “testing site” containing sample data.What is the OSM row?CBSE introduced the On-Screen Marking (OSM) system for Class 12 Board examinations from 2026, replacing the conventional manual evaluation process with digitally scanned answer sheets that are checked online. According to the board, the system was intended to eliminate totaling errors, reduce manual intervention and speed up evaluation.However, the rollout quickly came under fire after students began flagging issues ranging from blurry scans and missing pages to alleged mismatches in uploaded answer sheets during the re-evaluation process.The controversy escalated after a Delhi student, Vedant Shrivastava, alleged that the Physics answer sheet uploaded under his roll number was not his. His social media posts went viral, prompting CBSE to later acknowledge in an email reviewed by Hindustan Times that a technical issue had led to an incorrect scanned copy being uploaded.‘Master password’ allegedly embedded in codeAccording to Adhikary, the portal's frontend JavaScript bundle allegedly contained a “literal password string” embedded directly in the code. He claimed that after studying the authentication flow, he realised the password could bypass security checks and directly open the evaluation dashboard.“I started examining the special logic for username, password, and OTPs and how it's processed. When examining that, I found a master password,” he told Hindustan Times. “After a bit of reading the code, I saw that the master password can bypass all the security protocols and open the dashboard directly.”The teenager alleged that with an examiner’s user ID and school code — information he described as publicly obtainable — the password could allegedly be used to access examiner accounts without completing the OTP verification process.‘Could tamper marks’Adhikary claimed the access was extensive enough to allow changes to answer-sheet evaluations and examiner information.“And after that, you can use that password. You can leverage that password to log into any examiner's account. And after you log into that account, you get access to editing sheets, details of the examiner, and so on,” he said.He further claimed that he was able to access evaluation dashboards and alter information linked to examiner profiles.“I could start evaluating sheets, change their details, edit the bank details and stuff in the portal,” he alleged.Asked what a malicious actor could have done with such access, Adhikary alleged that the flaw could potentially have been used to manipulate marks and extract sensitive data.“He or she could have extracted data on a large scale and sell them on the black market. He or she would have tampered marks, changed marks of people as they want to,” he claimed.Other vulnerabilities allegedIn the interview, Adhikary also alleged flaws in the OTP system, password-reset process and access controls within the portal.“So anyone could enter any rubbish thing in the old password thing and use anyone's user ID and put a new password to take over their account, which was really insecure, in my opinion,” he said while describing the password-reset mechanism.He further alleged that internal dashboards could allegedly be accessed without proper safeguards.“And most of it, like, there are 40 broken access control vulnerabilities, like, you can access things where you shouldn't have access to. You can view things you shouldn't, like, be able to,” he said.The teenager said he had reported the issues to the Indian Computer Emergency Response Team (CERT-In) in February and later shared additional technical details and screen recordings.Also read - Needless ‘Class 12 result soon’ teasing, OSM, hacking row: CBSE's May mess-ups, clarificationsCBSE says only ‘testing site’ affectedCBSE has rejected the claims that its live evaluation infrastructure was compromised.“At the outset, it is clarified that the Portal used for evaluation of answer-books bore a different URL, which has neither been compromised nor does it have the vulnerabilities indicated in the said social media post. The URL: http://cbse.onmark.co.in is the testing site only with sample data for internal testing and review purposes,” the board said in a statement.The board added that no security breach had been identified in the OSM portal used for actual evaluation work and said the system had been implemented “with strong grievance redressal mechanisms built into it.”Adhikary disputed CBSE’s assertion that the portal was merely a testing environment.“Secondly, I could access production data. Like I hijacked an examiner's account while I was doing the testing. And that person is a real physics teacher at some school of India and he's in the faculty directory of the school site,” he said.Between allegations of mismatched answer sheets, social media outrage over OSM glitches and now questions over portal security, CBSE has come under mounting criticism over the risks of implementing large-scale technological reforms without adequate transparency and safeguards.