Nisarga Adhikary, a Class 12 student and self-taught cybersecurity hobbyist, claims he uncovered a series of serious vulnerabilities in the platform linked to CBSE’s digital evaluation system for online answer-sheet marking.

Speaking exclusively to financialexpress.com, Nisarga said he was “shocked” to find basic yet critical flaws in the portal. The teenager claimed the vulnerabilities could have allowed attackers to bypass login protections, reset examiner passwords, and potentially tamper with marks assigned during the Class 12 board evaluation process.

CBSE, however, refuted his allegations, claiming the portal referenced in Nisarga’s screenshots was not the live evaluation system used for board exam answer sheets. “It has neither been compromised nor does it have the vulnerabilities indicated in the said social media post,” the board said in a statement.

Nisarga published a detailed blog post on May 22 outlining the alleged flaws. According to him, the issues were first discovered on February 25 this year and were reported to CERT-In, India’s national cybersecurity agency, before he made them public. 

ALSO READ

‘The master password vulnerability was shocking’ 

In his conversation with financialexpress.com, Nisarga said his curiosity was piqued after CBSE announced it would use an On-Screen Marking (OSM) system for this year’s evaluation process.

“Exams were going on, and I saw that CBSE announced that they’ll use OSM system for grading this year — curiosity got the best of me, and I started digging into their circulars. Took me a few minutes to find their portal URL, and then I started inspecting it,” he said. 

The teenager, who says he began coding at a young age and started exploring cybersecurity around Class 6 or 7, described the flaws he allegedly found as surprisingly basic. “The master password vulnerability was shocking to say the least,” he said, adding, “I didn’t expect amateur vulnerabilities like these at all, these were very easy to exploit.” 

When asked if he ever tested how far the access could go before deciding to stop for ethical reasons, Nisarga said, “As soon as I realised that I could effectively tamper with grades and take over accounts, I stopped, documented the vulnerabilities, and reported them to CERT-In.”

Nisarga said cybersecurity is a hobby for him. He revealed having prior experience as a software engineer and backend engineering intern. “Professionally, I’ve worked as a software engineer in the past and just wrapped up an internship as a backend engineer few months back. Cybersecurity & reverse engineering is just a hobby for me to be honest, might make it my career if I see a good opportunity. But for now, I plan to stick to software engineering for the most part.  he told,” financialexpress.com

ALSO READ

What the student claims he found 

In his blog, Nisarga claimed the portal’s frontend JavaScript bundle allegedly exposed a hardcoded “master password” in plain text. According to him, entering this password could bypass the OTP-based authentication system entirely. “I was able to log in as an examiner (bypassing the OTP/2FA flow totally) and reach the evaluation dashboard, where I could view and edit marks,” he wrote in his blog post.

He further alleged that the OTP verification itself was handled client-side, meaning the verification process allegedly happened inside the user’s browser instead of securely on the server. “Anyone watching the network tab can just read the OTP out of the response. And because the comparison happens in client-side code, you can skip the form altogether and simply tell the app the check passed,” he added.

The student also claimed that several internal routes, including dashboards and evaluation pages, lacked proper access protections. According to him, by editing browser storage values through developer tools, a person could allegedly access internal pages without authenticating. 

Among the most serious allegations was a password reset flaw. Nisarga claimed the portal’s “change password” API did not require users to provide their old password, allowing passwords to allegedly be changed by simply supplying a user ID and a new password. 

He further alleged the platform suffered from a widespread “Insecure Direct Object Reference” (IDOR) issue, where the server trusted user IDs supplied from the browser instead of verifying them through authenticated sessions. 

CERT-In response and follow-ups 

Nisarga said CERT-In acknowledged his report in February with a standard acknowledgement email. “No, just got a simple thank you mail from CERT-In in February, nothing else except that. Have tried notifying the vendor and CBSE as well,” he told financialexpress.com when asked whether he had received any official response.

In his blog, he also criticised the lack of follow-up after his disclosure, claiming many of the issues remained unresolved for months. 

CBSE says screenshots were from ‘testing site’ 

Responding to the allegations, Central Board of Secondary Education said the portal referenced in Nisarga’s screenshots was not the live evaluation system used for board exam answer sheets. “At the outset, it is clarified that the Portal used for evaluation of answer-books bore a different URL. The URL: http://cbse.onmark.co.in is the testing site only with sample data for internal testing and review purposes,” the board said.

Nisarga later challenged CBSE’s response on social media, posting video evidence of the alleged vulnerabilities. In a thread on X, he claimed the exposed master password could still provide unauthorised access and alleged that production-related data had been exposed. 

He also claimed that several of the vulnerabilities remained visible in the JavaScript bundle even after his disclosure to CERT-In. In another post, he alleged that similar “master password” issues existed on other “OnMark” subdomains linked to different institutions, citing verification by another researcher using archived web data.

CBSE is yet to respond to the developments.