49 minutes ago
1
The Central Board of Secondary Education (CBSE) on Tuesday (May 26, 2026) rejected claims that its Onscreen Marking System (OSM) portal could have been compromised.
The OSM portal is used by the CBSE examiners to evaluate scanned copies of answer sheets digitally. The CBSE has come under criticism after several Class 12 students reported incorrect marking for seemingly correct answers upon receiving copies of answer scripts they requested for re-evaluation.
The Board’s clarification came as a West Bengal-based ethical hacker, Nisarga Adhikary, claimed in social media posts that he had, in February 2026, complained to the Indian Computer Emergency Response Team (CERT-In), which is housed within the Electronics and Information Technology Ministry, that the OSM portal was subject to multiple vulnerabilities. Mr. Adhikary also claimed that he had hacked into the CBSE’s “OSM” portal and found critical vulnerabilities.
The CBSE, in a statement on X said, “At the outset, it is clarified that the portal used for evaluation of answer-books bore a different URL which has neither been compromised nor does it have the vulnerabilities indicated in the social media post [of Mr. Adhikary].”
It added that the URL mentioned in the social media post, cbse.onmark.co.in., was a testing site only with sample data for internal testing and review purposes. “There are no actual evaluation data, marks or other data held on that portal,” the CBSE added.
The CBSE response comes even as technical teams are investigating whether the OSM portal could have suffered a security breach, sources in the Education Ministry said. Union Education Minister Dharmendra Pradhan on Monday sought assistance from the Indian Institute of Technology-Madras and IIT-Kanpur to identify issues with the portal.
Portal takeover
Speaking to The Hindu, Mr. Adhikary said the vulnerabilities identified by him included severe leaking of passwords, bank details, and log-in tokens. This could lead to full takeover of an examiner’s account. “I noticed that it was possible for an impersonator to log in as any examiner and use their account to grade students’ answer sheets and tamper with the marks,” he said. “Because this platform is used by a huge number of evaluators and handles sensitive academic data, its security really matters.”
The process of impersonation involved obtaining a master password which overrides all security protocol and OTP verification.
“To log in as a specific examiner, all an attacker needs is a target’s user ID and school code, both of which are publicly obtainable. The master password sits in a JS file anyone can download. I have sent a screen recording of the hacking process to CERT-In. Once a master password is obtained it overrides all OTP verification requirement. An impersonator can easily obtain an examiner’s user ID and log in with the master password to possibly tamper with student answer sheets,” he said.
Mr. Adhikary stated that removing the master password and strengthening server settings could help reinforce the OSM portal. “Any web developer or AI agent can do this. It is funny how vulnerable the OSM portal is to cyberattacks and that these vulnerabilities have not been fixed despite been flagged between February and May,” he said.
Responding to the CBSE statement, Mr. Adhikary said that he stood by his CERT-IN complaint and stated that he had shared visual proof about the vulnerabilities and also received an acknowledgement from the agency that they were working on fixing the breach.
Over 11 lakh answer books sought
The CBSE has said that as on May 26, it has received 4,04,319 applications from students for obtaining scanned copies of answer books. A total of 11,31,961 answer books have been requested through these applications. The Board said it had furnished up to 8,98,214 answer books digitally.
“The pending requests for obtaining scanned copies of answer books are expected to be fulfilled by May 27. The portal for applications for verification and re-evaluation of answer books is expected to go live by May 29,” it added.
English (US) ·