For the past week, class 12 CBSE students have been complaining about discrepancies in the new digital evaluation system adopted by the Central Board of Secondary Education (CBSE) this year for grading class 12 answer sheets. While students are alleging that the evaluation process has not been conducted properly, a 19-year-old cybersecurity researcher has alleged that CBSE's On-Screen Marking (OSM) system for Class 12 board exam evaluations contained multiple critical vulnerabilities that could have allowed miscreants to bypass authentication, reset examiner passwords, and potentially tamper with marks.
The 19-year-old ethical hacker shared his claims in a detailed post on his personal blog. The cybersecurity researcher claimed that the vulnerabilities had first been discovered on February 25 and reported to the Indian Computer Emergency Response Team (CERT-In). The researcher also added that even though several follow-ups were attempted, there wasn't any reply and the flaws remained unaddressed for a significant period.
"Because this platform is used by huge numbers of evaluators and handles sensitive academic data, its security really matters. It seems like this platform is developed by Coempt EduTeck Pvt Ltd and this same OnMark platform is used by multiple boards & other institutions," the researcher stated in the blog.
"While poking around, I found several critical vulnerabilities in the OSM portal that could lead to full account takeover of examiner accounts. Anyone exploiting these could also tamper with or disrupt the grading process, which directly threatens the integrity of the exam evaluations," the researcher added. "I reported all of this to CERT-In before publishing this blog."
Interestingly, this ethical hacker also appeared for class 12 board exams this year.
"I've done bug bounty and security work for fun before, so when CBSE rolled out OSM and I noticed the portal link was completely public, my curiosity got the better of me. I opened the On-Screen Marking portal and started playing around with the HTTP requests and everything else I could see," the blog read. "The login page asks for three things: a user ID, a school code, and a password, followed by an OTP step. Nothing about that screen looks unusual. The problems only showed up once I stopped looking at the page and started looking at the code behind it."
According to the researcher, one of the most serious flaws involved a hardcoded “master password” allegedly embedded directly inside the portal’s public JavaScript bundle. The researcher claims that entering this password into the login form automatically bypassed the OTP verification process, which means anyone could access the examiner accounts using only a user ID and school code.
"When this master password was entered into the login form, the app automatically filled the OTP field and bypassed the normal authentication flow entirely. There was no second factor to clear and no server-side check to satisfy. Entering the magic string was enough. To log in as a specific examiner, all an attacker needs is: A target's user ID and school code, both of which are publicly obtainable," the blog stated. "The master password, sitting in a JS file anyone can download. With those, I was able to log in as an examiner (bypassing the OTP/2FA flow totally) and reach the evaluation dashboard, where I could view and edit marks."
The blog further alleges that that OTP validation itself was being handled entirely on the client side. This means the OTP sent by the server could allegedly be viewed directly through browser network logs, while verification checks were performed locally within the browser instead of on the server.
The 19-year-old also stated that CBSE's OSM portal lacked proper route protections, which means that the internal pages are directly accessible by manually editing browser storage values.
Source: India Latest News, Breaking News Today, Top News Headlines | Times Now
