A 19-year-old cybersecurity enthusiast has raised serious questions about the safety of the Central Board of Secondary Education’s (CBSE) digital answer-sheet evaluation system after claiming he discovered multiple major security flaws that could allegedly allow anyone to access examiner accounts and potentially alter marks. Meanwhile, CBSE 'ignored' calls for regional trials before rolling out the new on-screen marking (OSM) for class 12 board exam evaluation, claims a report from
Hindustan Times.
The issue has become more sensitive because it surfaced at the same time that many class 12 students across India have been complaining about wrong answer sheets, mismatched handwriting and incorrect marks during revaluation.
The student researcher, Nisarga Adhikari, says he found the flaws in February 2026, shortly after completing his class 12 board exams. According
to his detailed technical write-up published online, the most alarming issue was a ‘master password’ he described as hidden within the portal’s publicly accessible code.
The digital evaluation system is used by CBSE examiners to assess scanned answer sheets online. Instead of checking physical papers manually, teachers log into the portal, review answer sheets on-screen and upload marks digitally.
The platform, operated by private technology company Coempt EduTeck Pvt Ltd under its product called OnMark, was designed to modernise the evaluation process for millions of answer sheets.
However, according to Nisarga, the system had several basic security weaknesses.
A Password Hidden in Plain Sight
Nisarga says he began examining the code running behind the CBSE evaluation portal after opening the login page out of curiosity.
What he allegedly found was a master password written directly inside a JavaScript file — the same type of file every browser automatically downloads while loading a website.
According to him, the password was not encrypted or hidden. Anyone downloading the file could allegedly see it.
He claimed that entering this password into the login page would bypass the portal’s normal security process, including the one-time password (OTP) verification step.
This meant that if someone knew an examiner’s user ID and school code, they could allegedly log in to the account without needing the actual OTP.
Nisarga says the user IDs and school codes were also publicly obtainable.
OTP Security Was Also Weak
The researcher further alleged that the OTP system itself was flawed because the portal reportedly sent the OTP directly back to the browser during login.
Normally, OTP verification is supposed to happen securely on the server side. But according to Nisarga, the CBSE portal allegedly checked the OTP inside the user’s browser itself.
Cybersecurity experts generally consider this unsafe because anything happening inside a browser can potentially be manipulated by the user.
Nisarga wrote that “a security control running on the attacker’s machine is not really a security control.”
Internal Pages Could Be Accessed without Logging In
Another major issue highlighted in the report was the absence of proper access controls.
According to the researcher, several internal pages — including evaluation dashboards and answer-sheet viewing sections — could allegedly be opened directly without completing the normal login process.
He claimed that by changing a few values inside the browser’s storage settings, users could gain access using a completely fake identity.
The report also alleged that passwords for examiner accounts could be changed without knowing the old password because the system reportedly failed to verify existing credentials properly.
A Larger Problem across the Entire System
Perhaps the most serious allegation involved what cybersecurity experts call an “IDOR” vulnerability — short for Insecure Direct Object Reference.
According to Nisarga, the portal identified users mainly through editable information stored inside the browser rather than securely verifying identities on the server.
This allegedly meant users could simply replace their own user ID with somebody else’s and potentially access operations meant for another account.
Combined with the password-reset flaw, the researcher claimed this could allow someone to take over examiner accounts entirely.
Importantly, Nisarga says none of these vulnerabilities required advanced hacking tools or deep technical expertise.
“The hardest step was reading a JavaScript file,” he wrote.
Reported in February, Portal Taken Offline Months Later
Nisarga says he reported the vulnerabilities to the Indian Computer Emergency Response Team, better known as CERT-In, on 25 February 2026.
According to him, CERT-In acknowledged the complaint and requested additional details, including a screen recording.
He says he later submitted detailed demonstrations showing the vulnerabilities in action.
However, Nisarga claims that even after multiple follow-ups, the issues largely remained unresolved for months while answer-sheet evaluation continued on the platform.
He also pointed to archived copies of the portal available online that allegedly showed the vulnerable code remained active even after the report was submitted.
Only after the issue gained public attention did the portal reportedly go offline.
CBSE Denies Any Breach
CBSE has publicly denied that its live evaluation system was compromised.
In a statement posted on X, formerly Twitter, CBSE claimed the affected website was merely a testing environment containing sample data and not real evaluation information.
However, Nisarga disputed this explanation and published screenshots and videos which he says showed actual examiner dashboards and production data.
The controversy deepened after CBSE reportedly deleted its original clarification post and later issued another statement correcting the website address it had mentioned earlier.
Researchers also claimed that similar vulnerabilities were present in other examination portals using the same OnMark software platform, including systems linked to the Maharashtra State Board of Technical Education.
Student Complaints Add to Concerns
The security controversy comes at a time when many students are already questioning the reliability of the digital evaluation system itself.
Several class 12 students have posted complaints on social media claiming that scanned answer sheets provided during revaluation did not match their handwriting.
Others reported blurred pages, incorrect marks and missing supplementary sheets.
One student wrote online that the chemistry answer sheet received during revaluation appeared to belong to somebody else entirely.
The growing number of complaints has prompted a separate investigation by a team from the Indian Institute of Technology Madras which is currently examining the online marking system and its processes.
At present, it remains unclear whether the answer sheet mismatch complaints are connected in any way to the alleged security flaws.
Bigger Questions over Accountability
The incident has raised broader concerns about how critical digital public systems are designed and monitored.
Cybersecurity experts often stress that passwords should never be stored openly in frontend code, OTP checks should happen securely on servers and user identities must always be verified properly before allowing access.
Critics argue that these are not advanced security principles but basic safeguards expected in modern digital systems — especially one handling examination records of millions of students.
So far, CBSE has not publicly addressed the technical details raised by the researcher, while Coempt EduTeck has also not issued any detailed public response.
The IIT-Madras investigation is still underway and many students and parents are now waiting for clearer answers about both the security and reliability of the examination evaluation system.
