'Son Im Crine': Teens and techies Vs the CBSE; or how the battle over the OSM portal unfolded online

What began as a responsible vulnerability disclosure by a 19-year-old student has spiralled into one of the most relentless tech pile-ons Indian education infrastructure has seen in years, with software engineers, cybersecurity researchers and product developers publicly roasting the Central Board of Secondary Education’s digital systems in real time.

The controversy escalated dramatically this week after CBSE, while attempting to defend its On-Screen Marking (OSM) platform , publicly referenced a domain name it did not actually own — allowing the same researcher who exposed the vulnerabilities to buy it for Rs 99 and redirect it to his own blog.

The researcher, Nisarga Adhikary, says he first began examining the CBSE post result service OSM portal in February 2026 while waiting for his own Class 12 results. According to findings he later published online, the platform allegedly exposed multiple severe security flaws, including a hardcoded “master password” inside publicly-accessible JavaScript, client-side OTP verification logic, weak route protections and an alleged IDOR vulnerability tied to examiner workflows.

Adhikary says he privately disclosed the issues to CERT-In and CBSE and followed up repeatedly over nearly three months before eventually posting his findings publicly on X and Hacker News.

The internet, predictably, took that as an invitation and responded exactly the way the internet usually does when national infrastructure allegedly ships with frontend passwords.

Also read CBSE makes third language compulsory for Class 9 from July, with Class 6 books and shared teachers

CBSE OSM: Techie pile-up, flyover analogy

After three months, and after other students started blaming the OSM system for their results, Adhikary went public on X and Hacker News. The tech community immediately descended upon the board's infrastructure.

As the techies tore into the system's structural flaws, the portal began to buckle under the weight of traffic, lagging, and crashing. To help the public understand why CBSE's servers were constantly on life support, Mayuri Prakash, a product engineer, offered a real-world analogy to explain load balancers.

She said, "A load balancer is used to manage network traffic. Imagine how many people will access a website at the exact same time — to avoid it getting overloaded, there are 'load balancers' that automatically route traffic to different servers. Think of it like a flyover and the regular road below it. Both lead to the exact same destination, but to avoid traffic congestion, you have two separate roads."

CBSE OSM Portal: Receipts, archives, ‘open claude code’

On Wednesday evening, CBSE refuted all claims in the statement given below.

"In a post made by a user on social media, it has been claimed that the CBSE On Screen Marking (OSM) bearing URL: http://cbse.onmark.co.in was compromised by him on 26.02.2026. This has also formed the basis for a few news articles.

CBSE clarified that the portal used for evaluation of answer-books bore a different URL, which has neither been compromised nor does it have the vulnerabilities indicated in the said social media post. The URL: http://cbse.onmark.co.in is the testing site only with sample data for internal testing and review purposes. There are no actual evaluation data, marks or other data held on that portal. The Board emphasises that no security breaches have come to light on the Portal deployed for the actual evaluation work. They stated that this system has been implemented for enhanced transparency in assessments.”

Asked how he concluded the portal was connected to the real system and not just a demo site, Adhikary told Careers360, “The examiner account I had hijacked during testing is of a real teacher of a real school in India who was tasked with the evaluation this year. I have enough visual proof to back this up.” He added that it “doesn’t make sense to use real data for testing at all,” which is why he doubted CBSE’s claim that the portal was merely a testing environment.

Also read ‘More exhausting than manual’: How CBSE on-screen marking system is draining teachers it was meant to help

On X Adhikary, had receipts in video form. He said, "CBSE is claiming that the portal wasn't compromised but here's some video evidence proving that there was indeed a security lapse from their side which leaked the master password and it could be used to gain unauthorised access to the portal which had prod data."

Adhikary then pointed out that the digital evidence had been permanently etched into history and he continued saying, "After I sent my report on 25th February, majority of the vulnerabilities I had reported weren't patched. Someone had archived the portal on 03rd March 2026…the JS bundle is accessible.…You can pass the JS bundle through Claude Code and ask it to find the vulnerabilities outlined in my blog and you'll see this result - majority of the vulns are still present in the code despite me reporting it to CERT-In."

Also read Education ministry’s school management committee guidelines 2026 mandate 2 sub panels, 2-year term for member

Copy-paste security architecture

To put the claim more simply, the Chennai based tech specialist said, “Imagine a homeowner who gets warned by a security inspector that their front door is wide open, but they choose to do absolutely nothing about it. A week later, a neighbor takes a photo proving the door is still unlocked. Even if the homeowner later tries to claim, "No, we were always completely safe and secure!" that photo exists as permanent, unchangeable proof that they left their house completely unprotected for days.”

In this digital version, CBSE's website was archived which means someone took a permanent digital "snapshot" of the site's code on March 3, a full week after Adhikary warned them about the flaws. By taking that frozen code and running it through an AI tool (which acts like an expert digital building inspector), anyone can see the proof that CBSE left their master passwords and broken security features completely exposed to the public long after they were told to fix it.

Another X user with the handle @Squeal pointed out that the vendor had copy-pasted the same security architecture across other state portals too.

Adhikary said, "Last but not the least, @Squeal was able to verify that the SAME master password existed in some other onmark subdomains (msbte) through web archive and they still exist at the time of writing this post - we are already in touch with CERT-In regarding this."

Online sleuths quickly tracked down the “vendor” in question – COEMPT Edu Teck, previously Globarena Technologies private LTD, CBSE later confirmed it was COEMPT, saying, “The contract was awarded to M/s Coempt Edu Teck, Hyderabad. However, the allegations are refuted.”

Also read Education Ministry Plans: PM SHRI in West Bengal, Kerala, TN; NIPUN Bharat till Class 5; mental health policy

CBSE Onmark Vs Onmarks

The sleuths also seized upon a typographical error in the CBSE’s original statement in which it said the flagged URL – the “dummy testing site” – was cbse.onmarks.co.in.

Adhikary responded: “Son I crine, that’s not even the real domain, @Squel bought it for 99 rupees”,He tagged one of CBSE’s domain @cbseindia2 to this statement.

The domain was subsequently redirected to Nisarga’s blog post detailing the alleged vulnerabilities in the OSM platform, drawing further attention online to CBSE’s response and digital infrastructure practices.

CBSE later revised its statement to include the URL originally flagged, cbse.onmark.co.in.

What began as a student examining the security of an exam portal has since evolved into a wider controversy over CBSE’s digital infrastructure and response. The issue has drawn significant attention from the tech community, while the parliamentary standing committee on education has sought explanations regarding the alleged security lapses and the board’s handling of the matter. Education minister Dharmendra Pradhan has acknowledged that “certain issues” were raised about the portal.

Meanwhile, there’s growing chatter about taking the whole issue to the courts. Asked why he hadn’t already, Adhikary said, "I'm an engineer and cybersecurity researcher, can’t be bothered with legalese stuff- in touch with multiple lawyers and foundations who are handling that part. Expecting urgency or accountability from the Indian judiciary in cases involving institutions in cases involving institutions like cbse in wishful thinking. ”