Ethical Student Hackers Blow the Whistle on CBSE, Reveal Massive Data Breach
Three ethical hackers—Nisarga Adhikary, Sarthak Sidhant, and Vedant Srivastava—exposed critical flaws in the Central Board of Secondary Education’s (CBSE) On-Screen Marking (OSM) Portal, including hardcoded passwords and vendor favoritism, while students like Srivastava faced mark-sheet discrepancies and online harassment. Adhikary reported vulnerabilities to CERT-In in February 2026 but received no follow-up, while Sidhant revealed CBSE’s revised tender rules benefited Coempt Edu Teck, a firm linked to past exam controversies.
Three student ethical hackers uncovered severe security flaws in the Central Board of Secondary Education’s (CBSE) On-Screen Marking (OSM) Portal, a digital system used for evaluating Class 12 board exams. On 22 May 2026, 19-year-old Nisarga Adhikary published a blog post detailing vulnerabilities in the portal’s code, including a hardcoded master password accessible via publicly available user IDs and school codes. Adhikary had first identified these issues on 25 February 2026 and reported them to CERT-In, India’s cybersecurity response team, but received no substantive response despite follow-ups. Adhikary’s findings revealed multiple weaknesses: lack of password protection, OTP bypass, and the ability for attackers to impersonate examiners and alter marks freely. Despite his disclosure, CBSE denied the vulnerabilities and claimed gratitude for the report. The flaws directly impacted students like 17-year-old Vedant Srivastava, who discovered his Physics answer sheet had been replaced with another student’s work after requesting photocopies on 23 May 2026. Srivastava’s family faced online abuse, including false labels as ‘anti-national’ and ‘Pakistani.’ Separately, 18-year-old Sarthak Sidhant exposed how CBSE altered tender rules to favor Coempt Edu Teck, a Hyderabad-based firm hosting the OSM system. Sidhant’s blog post on 30 May 2026 highlighted that CBSE, as a public institution, should have invited competitive bids instead of directly selecting the vendor. Coempt Edu Teck has prior ties to the 2019 Telangana State Board Examination controversy, raising further concerns about transparency. The OSM Portal was introduced to streamline exam evaluation but has instead created systemic risks, from data breaches to mark-sheet fraud. Students affected by the flaws have taken to public platforms to demand accountability, while CBSE’s response remains limited to generic acknowledgments. The incident underscores broader issues in digital infrastructure security within India’s education sector.
This content was automatically generated and/or translated by AI. It may contain inaccuracies. Please refer to the original sources for verification.