This 19-year-old says he could change CBSE marks from home
What's the story
Nisarga Adhikary, a 19-year-old ethical hacker, has flagged major security flaws in the Central Board of Secondary Education's (CBSE) newly launched On-Screen Marking (OSM) system. The platform was designed to allow examiners to evaluate scanned copies of answer sheets on computers instead of paper. However, Adhikary found that anyone with basic technical skills could bypass OTP authentication and impersonate examiners, reset passwords, and even alter students' marks.
Security breach
Access control completely broken, says Adhikary
Adhikary, a Class 12 student from West Bengal, said it took him less than an hour to find all the vulnerabilities in the system. "Anyone can impersonate any examiner to their choice. The access control is totally broken," he said. He added that he could change the marks as there was no OTP security and anyone could change the password.
Official clarification
CBSE denies OSM portal hacked
In response to Adhikary's claims, CBSE denied that its OSM portal had been hacked. The board clarified that the URL claimed by Adhikary to have flaws was "the testing site only with sample data for internal testing and review purposes." It emphasized that no security breaches had come to light on the portal deployed for actual evaluation work.
Counterclaims
Adhikary stands by claims
Responding to CBSE's clarification, Adhikary claimed that the URL in CBSE's post was "not even a real domain," and that it was directing users to his blog. After discovering the vulnerabilities, he sent emails to several authorities including CERT-In and other government-linked cybersecurity contacts but did not receive satisfactory responses. He flagged six high-severity vulnerabilities still present on the site, including one on the master password.
Cybersecurity experience
Who is Nisarga Adhikary?
Adhikary is a hobbyist cybersecurity researcher who has previously worked on bug bounty and vulnerability-hunting projects. He studied in Delhi for a few years, where he built cybersecurity tools as well. He has been involved in ethical hacking and security testing for several years now. "I used to do ethical hacking for a while and thought it would be good if I could play around and find bugs in it," he told ThePrint.