While still in the midst of students’ anger over the on-screen marking (OSM) system for Class 12 board exams, the Central Board of Secondary Education (CBSE) found itself at the center of another controversy recently, with a teenager claiming to have “hacked” its online portal.
Nisarja Adhikari, a 19-year-old ‘amateur cybersecurity researcher’, is behind the big claims, following which CBSE also issued a clarification on Tuesday, rejecting claims that its marking system has been hacked.
A senior official from India’s Ministry of Electronics and Information Technology (IT) told Hindustan Times that CERT-In (Indian Computer Emergency Response Team) is looking into the matter and raising it with CBSE, while also proposing measures to fix the issues, which they later pledged to complete. It was a response to queries about the action taken after Nisarga disclosed to CERT-In about the alleged vulnerabilities in February.
Notably, CBSE had introduced the OSM system of evaluation for Class 12 board exams in February this year. Under this method, the answer sheets are digitally scanned and reviewed online. According to the Board of Education, this helps avoid registration errors and reduces manual involvement.
What is the controversy over the “piracy” claim?
Nisarga Adhikary, a 19-year-old hobby cybersecurity researcher who completed his Class 12 exams this year, claimed to have hacked the CBSE website and identified serious lapses in the OSM system.
Although his May 22 post Das described it as an “absolute embarrassment” and claimed that the flaws could have enabled someone to “view and change any students’ grades”.
In a detailed blog post published on his website and also shared on X, Nisarga said he had identified several major security flaws in CBSE’s OSM portal in February and reported them to CERT-In.
However, he claimed that many of the issues he pointed out remained unresolved for a long time.
“What I found inside was terrible.”
Nisarja said the site’s home page looked normal at first glance, but problems began to appear after he examined the underlying code. According to his blog, the deeper he investigated the system, the more serious the alleged problems became.
“Like most modern single-page applications, Gateway is an Angular application that ships all of its front-end logic in one miniature JavaScript file. The browser downloads this file and runs it locally to display every screen in the application. Anyone can request it, whether they’re logged in or not. So I printed it out beautifully and started reading. What I found inside was terrible,” the 19-year-old wrote.
One of his main claims involved what he called an encrypted “master password” that was allegedly visible in the publicly accessible JavaScript package used by the website.
A “master password” flaw means that the website has a global secret password hidden in its code. If someone finds out, they can log in as any examiner without having to send the OTP to the teacher’s mobile phone.
He said the password was allegedly visible directly in the website’s front-end code. According to him, once the master password was entered on the login page, the app automatically completed the OTP field and skipped the usual authentication process. He also said there is no Layer 2 check or server verification requirement.
He said that logging in as a designated examiner would only require the following:
- The target user ID and school code, both are publicly available.
- The master password is stored in a JavaScript file that anyone can access.
“With these, I was able to log in as an examiner (completely bypassing the OTP/2FA flow) and access the assessment dashboard, where I could view and edit grades,” he wrote.
Disadvantages of OTP system too?
According to the blog, it was also alleged that there were major problems within the OTP system.
“When someone turns on authentication, the server sends the one-time password (OTP) back inside the authentication response, and the JavaScript running in the browser compares what the person typed with that value locally before letting you through,” he wrote.
Simply put, the OTP itself is returned in the server response, while the browser separately checks whether the OTP entered matches its own.
“The secret you’re supposed to prove you received is delivered directly to your browser, and the browser evaluates its own test,” he said.
This means that anyone checking network requests can see the one-time password (OTP) directly, he said. Since the comparison process occurred in client-side code, he claimed that someone could override the form entirely and tell the application that the check was successful.
“Security control running on an attacker’s device is no control at all,” he wrote, a statement that caught the attention of cybersecurity experts.
Another big claim: “The entire application is accessible”
Suddenly, passwords and one-time passwords (OTP) weren’t the only problems with the system, as the blog claimed.
Nisarga claimed that many internal sections of the Angular-based application lacked proper path security.
He claimed that pages like “https://www.hindustantimes.com/dashboard”, “https://www.hindustantimes.com/profile”, “https://www.hindustantimes.com/evalscriptsview” and “https://www.hindustantimes.com/verificationdashboard” can be opened by simply entering fake values in the browser storage.
“The only thing standing between the anonymous visitor and the internal page is the default redirection to /login, and that is trivial to defeat,” he said.
He also claimed that the system’s password reset process did not verify the existing password before allowing the change. “The current password has never been verified.”
He claimed that the combination of this issue and what he described as a “systemic IDOR vulnerability” could enable attackers to take over examiner accounts by modifying stored IDs. “This is a complete account takeover, without any credentials or inside access,” he wrote.
He claimed that the attacker could then log into the victim’s account, access the personalized answer sheets and make changes to the marks.
CBSE reacts to hacking allegations
Responding to the allegations, CBSE said the portal used to check answer sheets had a different URL than the one shown in the teenager’s screenshots.
CBSE said the alleged issues reported by it came from a “testing site”.
“Initially, it was clarified that the portal used for evaluating the answer books had a different URL, which was not hacked and did not have the vulnerabilities pointed out in the said social media post. The URL: http://cbse.onmark.co.in is only the exam site with sample data for internal testing and review purposes,” the board said in a post on X.
The board said that no security breach was identified in the OSM portal used in the actual evaluation process.
