A 19-year-old Indian security researcher, Nisarga Adhikary, discovered five critical vulnerabilities in the Central Board of Secondary Education (CBSE) online On-Screen Marking (OSM) system in February this year. He promptly reported them to the Indian Computer Emergency Response Team (CERT-In), but after receiving no substantive response within three months, he publicly disclosed them in May. The vulnerabilities included: a hardcoded plaintext master password in a frontend JavaScript package that could bypass two-factor authentication to directly log into any examiner account; OTP verification logic entirely handled on the client side, with the server returning the plaintext OTP in the response body; zero authentication guards on Angular routes, allowing anyone to directly navigate to internal pages such as the grading dashboard; a change password API that did not verify the old password; and systematic insecure direct object references (IDOR) throughout the entire API system — combined, these flaws allowed an attacker to fully take over any examiner account and thereby tamper with the scores of millions of answer sheets. The researcher himself had just finished his high school board exams, and the system was processing the Grade 12 answer sheets of over 28,000 schools across India.
After the incident gained traction, CBSE issued a public statement denying the vulnerabilities and characterizing the domain in question as a “test environment.” However, the researcher provided multiple pieces of counter-evidence, including screenshots of production data, CBSE official emails containing the URL, a screencast of exploitation, and site archives from March. The same master password was also found in the JS packages of other educational institutions on the Onmark platform. The Internet Freedom Foundation (IFF) has sent a letter to the Indian Ministry of Education and CERT-In, and more than ten media outlets, including BBC, India Today, and NDTV, have covered the story. Additionally, Adhikary discovered a SQL injection vulnerability in the same portal in late May and has reported it separately.