Password in public? CBSE OSM portal under lens after 19-year-old hacker claims to bypass security measures

A 19-year-old student and ethical hacker Nisarga Adhikary has publicly disclosed vulnerabilities in the Central Board of Secondary Education’s On-Screen Marking (OSM) portal, the system used for evaluating board exam papers. For the first time, this year, all CBSE Class 12 papers were checked on that portal.

The controversy gained traction after Adhikary posted a thread on X and later published a detailed blog post claiming he was able to bypass parts of the CBSE OSM portal’s login and access-control systems. He said the issues had first been reported privately to CERT-In, India’s cybersecurity response agency, months earlier. “I had hacked CBSE's OSM (On-Screen Marking Portal) in February and had reported the vulnerabilities to CERT-In, but they were unable to patch most of them,” he wrote in a post on X.

The disclosures quickly spread across social media, with cybersecurity professionals, students and educators questioning how a national-level examination system – the CBSE could allegedly contain such basic security weaknesses.

Also read CBSE makes third language compulsory for Class 9 from July, with Class 6 books and shared teachers

The CBSE OSM controversy

The OSM portal controversy did not emerge in isolation. In the weeks leading up to the Nisarga Adhikary CBSE vulnerability report becoming public, several CBSE Class 12 students had taken to social media alleging mismatches between their scanned answer sheets and the marks awarded under the board’s On-Screen Marking system.

Students claimed some answers visible in scanned copies appeared unchecked or incorrectly totalled, while others questioned sudden variations in marks after re-evaluation requests. The complaints triggered wider concerns over transparency in CBSE’s increasingly digitised evaluation process.

For many students and parents, the issue was not just about technical glitches but about trust in a system that directly affects college admissions, scholarships and future opportunities.

It was during this growing scrutiny around the OSM system that Nisarga published his findings online. His disclosures quickly transformed an already simmering transparency debate into a national conversation about cybersecurity, vendor accountability and the safety of student examination data.

‘Nisarga Adhikary CBSE vulnerabilities report’

According to researchers and cybersecurity experts discussing the issue online, the core problem was that the portal allegedly trusted the user’s browser too much instead of securely verifying everything on CBSE’s own servers.

Experts say secure websites normally keep important checks hidden inside protected backend systems. In the CBSE portal, however, parts of that logic were reportedly exposed in code that loaded directly on a user’s browser.

In his blog post, Nisarga Adhikary alleged that the CBSE OSM portal contained a hardcoded “master password” directly inside publicly accessible frontend JavaScript files. Not a hash, not a token reference, but the literal password string,” he wrote, claiming the password could bypass the portal’s OTP and authentication flow entirely.

Also read Education Ministry Plans: PM SHRI in West Bengal, Kerala, TN; NIPUN Bharat till Class 5; mental health policy

Researchers further claimed that after entering the system, changing examiner ID numbers in browser requests could allegedly provide access to other accounts and evaluation records.

CBSE OSM System: Hotel key card, master password

Product engineer Mayuri Prakash from Bengaluru, explaining Adhikary’s blog post, said the vulnerabilities described in the CBSE OSM portal point to basic failures in how authentication and validation were designed.

“In any secure website, validation and authentication logic is supposed to stay hidden in the backend server. Users should never directly see sensitive verification data. But here, much of that information was reportedly exposed in the client side JavaScript — essentially the code visible in the browser itself through inspect tools,” she said.

She compared it to a hotel keeping its master key card openly at the front desk where anyone could pick it up.

“A master key card is supposed to be accessible only to authorised staff. Imagine leaving it in public view for everyone entering the hotel lobby. That is similar to what researchers are alleging happened here. Sensitive information, including login-related details, was effectively visible in the frontend instead of being securely handled in the backend,” she explained.

Prakash also explained the alleged IDOR, or Insecure Direct Object Reference, vulnerability Adhikary notes in his blog post in simpler terms. “In secure systems, even if someone changes account IDs or requests details in the browser, the server should recheck whether that user is actually authorised to access the account,” she said. “In this case, researchers allege that the portal was not properly rechecking authorisation. If someone changed IDs inside browser requests, the system could allegedly return another user’s account information without demanding proper verification again.”

Also read CBSE third language policy throws French, Spanish, German teachers across schools into crisis

She said the issue becomes especially dangerous when combined with weak password recovery or login validation systems.

“If the application trusts browser-side data too much and does not properly validate requests on the server, attackers can potentially access details they should never be able to see. That is why backend verification exists in the first place,” she added.

A Chennai based expert said, “To understand the CBSE portal breach, think of internet security like a bank vault. Normally, when you enter a password, the verification happens securely inside the backend server. But in this case, researchers allege that critical login logic was exposed directly in the frontend code visible in the browser itself.

The researcher reportedly found a ‘master password’ openly visible in the website code. The system also allegedly trusted the user’s browser to confirm whether a login was successful instead of securely verifying it on the server side. By intercepting browser traffic, someone could reportedly change the response from ‘failed’ to ‘successful’ and bypass OTP verification.

Once inside, the portal allegedly lacked proper authorization checks. Researchers claim users could change teacher ID details in browser requests and access other examiner accounts, answer sheets and student records. It was a fundamental failure of backend security validation,” said a Chennai-based cybersecurity expert familiar with the disclosures.

Dharmendra Pradhan, CBSE, IIT audit

The digital correction portal, cbse.onmark.co.in, is not the board’s only problem. There have been widespread complaints about the functioning of the portal for re-evaluation.

It led to the education minister, Dharmendra Pradhan, stepping in and directing Indian Institute of Technology Madras and IIT Kanpur to help bolster the CBSE’s tech systems.

The CBSE has throughout defended the on-screen marking system. Its officials were asked about Adhikary’s findings but till the time of publication, there was no response. If and when they respond, this story will be updated with their comments.