CBSE OSM portal glitch: 19‑Year‑Out‑Of‑School Hacks CBSE
Researcher reported flaws months ago; board took 3 days to patch one issue — then shut the site.
CBSE OSM portal glitch: 19‑Year‑Out‑Of‑School Hacks CBSE. A 19‑year‑old security researcher, Nisarga Adhikary, claims he discovered critical vulnerabilities in CBSE’s On‑Screen Marking (OSM) portal that could allow unauthorised access to examiner accounts and alteration of student marks. He reported the issues to CERT‑In in February 2026; days after public attention, the portal was taken offline on May 26, 2026. If true, the flaws are severe — they strike at the heart of India’s largest high‑school examination system.
By_ http://indiainput.comDesk
“Master password”
According to the researcher, the alleged vulnerabilities include a hardcoded “master password” in frontend JavaScript, client‑side OTP validation (authentication checked in the browser instead of on secure servers), unprotected internal dashboard routes, a password‑reset flow that doesn’t require the old password, and an IDOR flaw that could let an attacker act as any examiner and edit marks. These are foundational security failures: exposing secrets in public code, trusting the client for authentication, and failing to enforce server‑side authorization for sensitive operations. The implications are grave — examiner accounts could be taken over, marks altered, and trust in the board’s evaluation eroded.
“Onmark”
CBSE’s OSM portal was introduced to digitize evaluation — examiners assess scanned answer sheets online — but the reported flaws suggest rushed deployment without adequate security engineering. The portal’s URL includes “Onmark,” pointing to vendor Coempt Edu Tech Pvt Ltd as the implementation partner; accountability must be shared between the board and its vendor.
Immediate remedial measures are non‑negotiable.
First, keep public exam/examiner portals offline until server‑side authentication and authorization are independently verified.
Second, rotate all secrets and credentials, force password resets for all examiners, and enable Web Application Firewall (WAF) rules to block common bypass attempts.
Third, produce a public statement committing to an immediate third‑party penetration test and a transparent remediation timeline.
Role‑based access control (RBAC)
Medium‑term fixes must go deeper. CBSE must implement centralized identity and access management with role‑based access control (RBAC), enforce server‑side object‑level authorization to prevent IDOR, and adopt secure password‑reset flows with MFA. Audit logs for every mark change and account action must be tamper‑evident and reviewed.
The board should commission a full source‑code audit of the OSM system and require security sign‑off before future releases. Finally, CBSE should launch a formal bug‑bounty and responsible disclosure program coordinated with CERT‑In, so researchers can report issues safely and the board can respond quickly.
This incident is a wake‑up call. Millions of students’ futures depend on the integrity of this system — security cannot be an afterthought. With swift, transparent action and independent oversight, CBSE can restore trust and ensure that digital evaluation strengthens, rather than undermines, India’s education system.
SOURCE :
FEEDBACK : contact@indiainput.com
CATCHUP FOR MORE ON : http://indiainput.com
Cannes Has One Queen — And It’s Still Aishwarya Rai Bachchan
