Amid complaints of errors in CBSE Class 12 board exam results, a hacker has claimed that serious security loopholes could allow anyone to log into the board's portal used by examiners to evaluate answer sheets - and change students' marks.
The flaws in the CBSE's On-Screen Marking (OSM) portal were uncovered by Siliguri-based security researcher Nisarga Adhikary, who first reported the vulnerabilities to the Indian Computer Emergency Response Team (CERT-In) in February this year. Many of these flaws have since been fixed. (Portal: https://cbse.onmark.co.in/cbseevalweb/)
These vulnerabilities were so basic that even a non-technical person with little coding knowledge could take over examiner accounts and reset passwords without knowing the old password, the researcher said. He also shared with NDTV a screen recording showing him accessing the portal using the user ID of a real examiner based in Madhya Pradesh.
NDTV contacted senior CBSE officials for reaction on the matter. The copy will be updated as we receive the response.
What is the CBSE OSM portal?
The Central Board of Secondary Education (CBSE) has launched the On-Screen Marking portal, where thousands of examiners evaluate scanned copies of students' answer sheets online instead of using pen-and-paper methods.
What are the loopholes?
The most serious allegation is that the portal's login system contained a "master password" hidden in the website's front-end code. In simple terms, this means a password was allegedly placed inside code that any visitor's browser could access and download.
The researcher claimed this password could be used to enter an examiner's account while bypassing the one-time password (OTP) step. OTP verification appeared to be unreliable, as it was handled by the user's browser rather than securely on the server. This is a major concern because a browser is controlled by the user - or an attacker. Security checks such as OTP validation are supposed to occur on protected servers, not on a user's device.
Another vulnerability allegedly allowed internal pages of the portal to be opened without proper login checks. The researcher said pages such as dashboards and evaluation sections could be accessed by manipulating code stored in the user's browser. This suggests the portal may have trusted client-side data instead of independently verifying it.
The researcher further claimed that the password-change feature did not require the old password. This could allow an attacker to reset another examiner's password if they knew or manipulated that examiner's ID.
If accurate, the implications are serious. Examiner accounts could potentially be misused to view assigned answer scripts, alter marks, change evaluator details, or disrupt the assessment process.
These loopholes point to basic security failures: placing sensitive information in public-facing code, trusting the browser for authentication, and failing to verify user identity on the server for sensitive actions.
The internal dashboard of an examiner, shared by the hacker.
At the time of filing this report, the main OSM portal was inaccessible and returned a "502 Bad Gateway" error.
(https://web.archive.org/web/20260526074240/https://cbse.onmark.co.in/cbseevalweb)
Two other mirror portals were also down at 1 pm on May 26.
(https://cbse5.onmark.co.in/cbseevalweb/#/login
https://cbse2.onmark.co.in/cbseevalweb/#/login)
The portal appears to have been developed by Hyderabad-based firm Coempt Edu Tech Pvt Ltd. The company's website lists Onmark, a solution it says is designed to "revolutionise answer book scanning (uncut) and digital evaluation".
The CBSE OSM portal carries "Onmark" in its URL, and the master password originally hardcoded in the portal's user-facing source code also contained "Coempt" along with other characters, suggesting the firm deployed its solution for the board.
NDTV contacted Coempt through the contact number listed on its website. A company representative said she was unable to respond to our request for comment on the lapse.