3 days ago
1
The Central Board of Secondary Education (CBSE) connected Tuesday (May 26, 2026) rejected claims that its Onscreen Marking System (OSM) portal could person been compromised.
The OSM portal is utilized by the CBSE examiners to measure scanned copies of reply sheets digitally. The CBSE has travel nether disapproval aft respective Class 12 students reported incorrect marking for seemingly close answers upon receiving copies of reply scripts they requested for re-evaluation.
The Board’s clarification came arsenic a West Bengal-based ethical hacker, Nisarga Adhikary, claimed successful societal media posts that helium had, successful February 2026, complained to the Indian Computer Emergency Response Team (CERT-In), which is housed wrong the Electronics and Information Technology Ministry, that the OSM portal was taxable to aggregate vulnerabilities. Mr. Adhikary besides claimed that helium had hacked into the CBSE’s “OSM” portal and recovered captious vulnerabilities.
The CBSE, successful a connection connected X said, “At the outset, it is clarified that the portal utilized for valuation of answer-books bore a antithetic URL which has neither been compromised nor does it person the vulnerabilities indicated successful the societal media station [of Mr. Adhikary].”
It added that the URL mentioned successful the societal media post, cbse.onmark.co.in., was a investigating tract lone with illustration information for interior investigating and reappraisal purposes. “There are nary existent valuation data, marks oregon different information held connected that portal,” the CBSE added.
The CBSE effect comes adjacent arsenic method teams are investigating whether the OSM portal could person suffered a information breach, sources successful the Education Ministry said. Union Education Minister Dharmendra Pradhan connected Monday sought assistance from the Indian Institute of Technology-Madras and IIT-Kanpur to place issues with the portal.
Portal takeover
Speaking to The Hindu, Mr. Adhikary said the vulnerabilities identified by him included terrible leaking of passwords, slope details, and log-in tokens. This could pb to afloat takeover of an examiner’s account. “I noticed that it was imaginable for an impersonator to log successful arsenic immoderate examiner and usage their relationship to people students’ reply sheets and tamper with the marks,” helium said. “Because this level is utilized by a immense fig of evaluators and handles delicate world data, its information truly matters.”
The process of impersonation progressive obtaining a maestro password which overrides each information protocol and OTP verification.
“To log successful arsenic a circumstantial examiner, each an attacker needs is simply a target’s user ID and school code, some of which are publically obtainable. The master password sits successful a JS record anyone tin download. I person sent a surface signaling of the hacking process to CERT-In. Once a maestro password is obtained it overrides each OTP verification requirement. An impersonator tin easy get an examiner’s idiosyncratic ID and log successful with the maestro password to perchance tamper with pupil reply sheets,” helium said.
Mr. Adhikary stated that removing the maestro password and strengthening server settings could assistance reenforce the OSM portal. “Any web developer oregon AI cause tin bash this. It is comic however susceptible the OSM portal is to cyberattacks and that these vulnerabilities person not been fixed despite been flagged betwixt February and May,” helium said.
Responding to the CBSE statement, Mr. Adhikary said that helium stood by his CERT-IN ailment and stated that helium had shared ocular impervious astir the vulnerabilities and besides received an acknowledgement from the bureau that they were moving connected fixing the breach.
Over 11 lakh reply books sought
The CBSE has said that arsenic connected May 26, it has received 4,04,319 applications from students for obtaining scanned copies of reply books. A full of 11,31,961 reply books person been requested done these applications. The Board said it had furnished up to 8,98,214 reply books digitally.
“The pending requests for obtaining scanned copies of reply books are expected to beryllium fulfilled by May 27. The portal for applications for verification and re-evaluation of reply books is expected to spell unrecorded by May 29,” it added.
