Serious cybersecurity vulnerabilities discovered within the Central Board of Secondary Education’s (CBSE) digital infrastructure may have exposed sensitive student records, examiner accounts, and grading systems to unauthorized access, according to findings shared by an independent security researcher.

The vulnerabilities were reportedly identified by 19-year-old cybersecurity researcher Nisarga Adhikary in CBSE’s On-Screen Marking (OSM) portal — a platform extensively used by evaluators to assess Class 12 board examination answer sheets.

Critical Security Weaknesses Identified

Technical disclosures shared online and later amplified by cybersecurity experts suggested that the portal relied heavily on insecure client-side validation mechanisms rather than secure backend verification systems.

One of the most alarming findings involved a hardcoded master password embedded directly within publicly accessible JavaScript files. Experts warned that this flaw could potentially allow attackers to bypass the platform’s OTP-based authentication system entirely.

Researchers also identified an Insecure Direct Object Reference (IDOR) vulnerability, where examiner and validator IDs were reportedly retrieved directly from browser session storage. This could allegedly enable unauthorized users to manipulate identifiers using basic browser developer tools and gain access to examiner accounts and student evaluations.

Additional concerns were raised over the portal’s password reset mechanism, which allegedly allowed account credentials to be changed without verifying the original password.

Experts further claimed that crucial OTP validation checks were being handled on the client side rather than through secure server-side authentication, increasing the risk of unauthorized access.

Timeline of Events

CBSE Response and Current Status

Following mounting criticism and public scrutiny, portions of the portal were temporarily taken offline for maintenance and security updates. Access to several systems has since been restricted while additional safeguards are reportedly being implemented.

In an official statement, CBSE attributed the disruptions to “unprecedented traffic” and acknowledged “attempts of unauthorized interference” on its systems. However, the board has not officially confirmed whether any student records or marks were altered before corrective measures were introduced.

The incident has reignited concerns over cybersecurity preparedness within large-scale public digital infrastructure handling sensitive educational and examination data.