'Found CBSE portal vulnerabilities in 20 mins, not afraid of FIR'

A 19-year-old ethical hacker, Nisarga Adhikary, revealed significant security flaws in the Central Board of Secondary Education (CBSE) portal, stating he identified vulnerabilities within 20 minutes. Adhikary disclosed that the portal’s front-end JavaScript code—comprising 9,000 lines—contained a master password, enabling access to evaluator accounts with user IDs obtained through public sources. Using this, he could log into evaluator accounts, access answer sheets, and generate grades. Adhikary reported 45 vulnerabilities to CBSE but received no response, leaving the issues unresolved. After results were declared, he went public, uncovering further vulnerabilities that granted access to nearly 30 million scanned answer sheets and databases. The exposure follows scrutiny of CBSE’s On-Screen Marking (OSM) system and concerns over the security of its digital platforms. The hacker described the breach as straightforward, attributing the vulnerabilities to a lack of proper security protocols and auditing. He noted that the system’s inexperience in cybersecurity made vulnerabilities easily identifiable. Adhikary also highlighted that answer sheets and question papers were stored in a publicly accessible AWS bucket, raising fresh concerns about CBSE’s digital infrastructure. CBSE’s failure to address initial reports prompted Adhikary to disclose the flaws publicly, sparking a nationwide debate over the board’s technology ecosystem. The incident underscores broader concerns about the security of educational institutions’ digital systems. Adhikary emphasized his lack of fear regarding potential legal action, framing his actions as a necessary step to expose systemic vulnerabilities.