CBSE OSM portal had 'master password' that could be used to tamper marks, claims 'hacker' Nisarga Adhikary

A 19-year-old cybersecurity researcher, Nisarga Adhikary, has alleged that the Central Board of Secondary Education’s (CBSE) On-Screen Marking (OSM) portal for Class 12 board examinations contained a hard-coded 'master password' embedded in the frontend JavaScript. According to Adhikary, this password could bypass OTP verification, log into examiner accounts, and potentially tamper with student marks. He discovered the vulnerability while examining the portal’s backend code, noting that the password could be used with publicly available examiner details like user ID and school code. CBSE has denied that the actual evaluation portal was compromised, stating the vulnerabilities were found in a testing site with sample data, not the live system. The board introduced OSM in 2024 to replace manual evaluation, aiming to reduce errors and speed up the process. However, the rollout faced criticism after students reported issues like blurry scans, missing pages, and incorrect answer sheets being uploaded. Adhikary claimed the 'master password' could directly open the evaluation dashboard without OTP verification, allowing access to examiner accounts and the ability to edit answer sheets. He described the authentication flow as flawed, with the password embedded in the code, making it accessible to anyone reviewing the frontend JavaScript. The controversy escalates amid ongoing issues with OSM, including a viral case where a Delhi student, Vedant Shrivastava, alleged his Physics answer sheet was incorrectly uploaded. CBSE later acknowledged a technical error but maintained the evaluation portal itself was secure. Adhikary’s findings raise further concerns about the system’s security, despite CBSE’s assurances. The OSM system was introduced to eliminate totaling errors and reduce manual intervention, but its rollout has been marred by technical glitches and security allegations. While CBSE dismisses the breach claims, Adhikary’s discovery highlights potential risks in digital evaluation systems. The board continues to defend the portal’s integrity, insisting the vulnerabilities were isolated to a testing environment.