A 19-year-old cybersecurity researcher has claimed that he found serious vulnerabilities in CBSE’s On-Screen Marking portal and alerted authorities months ago, raising fresh concerns over the security of India’s digital examination infrastructure.
The researcher, identified as Nisarga Adhikary, said the alleged flaws were discovered in February and reported to the Indian Computer Emergency Response Team. The claims gained wider attention after entrepreneur Deedy Das highlighted the matter on X, prompting debate among cybersecurity experts and education stakeholders.
FCRF’s Flagship Cyber Law Certification Returns With a New Four-Week Cohort
Researcher Claims CERT-In Was Alerted
According to the researcher’s blog post, the alleged vulnerabilities were reported to CERT-In along with technical evidence, walkthroughs and supporting documentation. He claimed that despite submitting additional material, several issues remained unresolved for months.
The controversy centres on CBSE’s On-Screen Marking system, which is used for digital evaluation of scanned answer sheets. Under the system, examiners log in to a web-based platform to assess student scripts instead of marking physical copies.
Adhikary alleged that the portal had multiple weaknesses that could affect access controls. He claimed that login authentication, OTP verification and certain security parameters were exposed in ways that could potentially allow unauthorised access under specific conditions.
Authentication and Access Controls Under Question
One of the key claims relates to alleged insecure client-side validation in the OTP verification process. According to the researcher, parts of the authentication logic were executed on the user’s browser instead of being fully validated on the server, potentially weakening security.
He also alleged that some internal routes of the application lacked proper access restrictions. According to his claims, certain dashboard and evaluation-related pages could be accessed by manipulating browser storage or session parameters.
The blog post further claimed that the password reset system did not properly validate existing credentials before allowing changes. The researcher suggested that such weaknesses, if verified, could raise risks related to account access and impersonation in extreme cases.
CBSE Yet to Publicly Confirm Claims
As of now, CBSE has not issued an official confirmation on the claims or clarified whether any student data or marks were compromised. The allegations have also not been independently verified through public disclosures.
The issue has triggered concern because CBSE’s examination and evaluation systems affect lakhs of students across India. Any weakness in such infrastructure could raise questions about data integrity, fairness in evaluation and public trust in digital assessment systems.
While the researcher has described his actions as responsible disclosure, cybersecurity experts online remain divided. Some have called for urgent audits of public examination platforms, while others have urged caution until official agencies release verified findings.
