A 19-year-old cybersecurity researcher, Nisarga Adhikary, has claimed that the Central Board of Secondary Education's (CBSE) On-Screen Marking (OSM) test website contained a hard-coded 'master password' that could be used to bypass OTP verification, log into examiner accounts, and even tamper with students' marks.
CBSE, however, has denied that the actual evaluation portal was compromised, saying the vulnerabilities highlighted by the teenager related only to a 'testing site' containing sample data.
The OSM system was introduced for Class 12 Board examinations to eliminate totaling errors, reduce manual intervention, and speed up evaluation. However, the rollout quickly came under fire after students began flagging issues ranging from blurry scans and missing pages to alleged mismatches in uploaded answer sheets during the re-evaluation process.
Adhikary claimed that the portal's frontend JavaScript bundle contained a 'literal password string' embedded directly in the code, which could bypass security checks and directly open the evaluation dashboard.
He alleged that with an examiner's user ID and school code, the password could be used to access examiner accounts without completing the OTP verification process, and even allow changes to answer-sheet evaluations and examiner information.
CBSE has rejected the claims that its live evaluation infrastructure was compromised, saying the system had been implemented 'with strong grievance redressal mechanisms built into it.'
