The Central Board of Secondary Education (CBSE) has said it is “closely monitoring” security concerns related to its On-Screen Marking (OSM) portal after a 19-year-old cybersecurity researcher claimed to have identified vulnerabilities that could potentially allow unauthorised access to the system.
In a statement issued on social media, the board said a team of cybersecurity professionals from government agencies and the Indian Institutes of Technology (IITs) had been deployed to strengthen the portal and address any security gaps.
“The identified vulnerabilities have been contained, and other exploitable weaknesses are being ruled out. We are grateful to all alert citizens and ethical hackers pointing out such weaknesses, and have gotten in touch with some of them directly,” the CBSE said.
The statement follows claims made by Nisarga Adhikary, a 19-year-old self-described cybersecurity researcher, who alleged that he was able to identify serious flaws in the OSM portal. According to Adhikary, he first detected the vulnerabilities in February and subsequently reported them to the Indian Computer Emergency Response Team (CERT-In).
Also read: CBSE flags 20 answer-sheet mix-ups on OSM portal
In a detailed blog post published on his website and shared on social media platform X, Adhikary claimed that the portal contained a “master password” embedded within its JavaScript code. According to him, the password could be used to bypass the one-time password (OTP) verification process that forms part of the portal’s authentication mechanism.
Speaking to the media, Adhikary said he discovered the issue while examining how usernames, passwords and OTPs were processed by the system.
“I started examining the special logic for username, password, and OTPs and how it's processed. When examining that, I found a master password. After a bit of reading the code, I saw that the master password can bypass all the security protocols and open the dashboard directly,” he said.
The researcher further alleged that such access could potentially allow unauthorised users to alter marks stored on the system. CBSE has not publicly responded to the specific allegations regarding the existence of a master password or the possibility of mark manipulation.
Following the board’s statement, Adhikary posted a reaction on X claiming that CBSE had effectively acknowledged the vulnerabilities he had flagged. The post was later deleted.
Follow us
