Read the full blog here: [Link | Archived link]
Nisarga Adhikary, a Bengaluru-based cybersecurity researcher who recently completed 12th grade, reported the Central Board of Secondary Education (CBSE) On-Screen Marking (OSM) system’s security vulnerabilities to India’s cybersecurity agency, CERT-In, and said he “never heard back” after the agency acknowledged his complaint with a templated response, despite several follow-ups. He reported vulnerabilities he discovered to CERT-In shortly after February 25, 2026, when he discovered the following vulnerabilities.
What is CBSE’s On-Screen Marking system? On-Screen Marking (OSM) is a digital evaluation system in which scanned answer sheets are displayed on screen for grading, according to the FAQ-like document published by CBSE on May 18, 2026. Read the entire document here.
At the time of writing this report, the URL of the On-Screen Marking system reads a “502 Bad Gateway” error. Here is the URL.
What are the vulnerabilities he found:
- A master password was hidden in the website’s code: “Sitting in plain text inside the frontend bundle was a hardcoded master password. Not a hash, not a token reference, but the literal password string, baked directly into the client-side JavaScript that gets shipped to every visitor’s browser,” he wrote.
What it means: When a user visits the CBSE On-Screen Marking portal, their browsers automatically download a JavaScript file containing the application’s entire frontend code. The file is publicly accessible, and if the user gets access to the master password, the app will skip the OTP-based authentication, allowing anyone to view and edit students’ marks.
- The OTP for user verification was publicly visible in the browser:
What it means:
When an examiner logs into the CBSE portal, the server is supposed to send a one-time password for the user’s (i.e., examiner’s) verification. Instead of verifying the OTP at the server level, it was sending the OTP back to the user’s browser inside the login response and “verifying” the user based on whether the user typed it correctly or not. It means that the OTP is generated and “verified” at the browser level and never sent to the servers at all.
“A security control that runs on the attacker’s machine isn’t a control at all.” – Nisarga Adhikary .
- Any internal page of the portal could be accessed without logging in: “Paste that [a few lines of code] into the browser console, and you’re dropped onto the dashboard, having never authenticated against anything. The token is fake, the user is invented, and the app doesn’t care,” he wrote.
What it means: Every internal page of the portal (like dashboard, profile, evaluator details, verification dashboard, evalscriptsview, and heallscripts) was directly accessible by typing the URL. The ideal behaviour would be to redirect the user to the login…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
