New Delhi, June 6: Fresh concerns have emerged over the cybersecurity framework of the Central Board of Secondary Education (CBSE) after a 19-year-old ethical hacker alleged that multiple vulnerabilities in the Board’s digital systems allowed access to sensitive academic data, including answer sheets and evaluation-related information.
In an interview with IANS, Nisarga Adhikary claimed that he was able to identify security weaknesses in CBSE-linked online platforms within minutes and subsequently reported dozens of vulnerabilities to the authorities.
The allegations come at a time when the Board is already facing scrutiny over the implementation of its On-Screen Marking (OSM) system and concerns surrounding digital evaluation processes.
According to Adhikary, his interest in the system began after CBSE launched a new portal and released related circulars. He said he conducted an independent security assessment using publicly available information and discovered what he described as significant weaknesses in the platform’s security architecture.
The ethical hacker alleged that during his examination of the portal, he located a publicly accessible web link and analysed portions of the platform’s front-end code.
Using software tools, he claimed to have identified a “master code password” embedded within the system, which allegedly enabled access to evaluator accounts if corresponding user credentials were available.
Adhikary further alleged that he was able to obtain evaluator user IDs from publicly accessible online sources and subsequently access certain accounts.
According to him, this access enabled the viewing of evaluation-related materials and grading interfaces.
He claimed that beyond the initial issue, he identified a total of 45 vulnerabilities in the system and reported them to CBSE.
However, he alleged that no response was received regarding the reported security concerns.
“I waited for three months until the results were declared and then went public with the information,” Adhikary said during the interview.
He further claimed that after making the matter public, he discovered additional vulnerabilities that allegedly provided access to a large volume of scanned answer sheets and other stored data.
The claims have intensified debate over cybersecurity standards within educational institutions and public digital platforms.
Adhikary alleged that the security measures implemented within the system were inadequate and that proper auditing procedures may not have been carried out before the platform became operational.
When asked about how quickly he was able to identify potential vulnerabilities, the teenager said the process took approximately 20 minutes.
He stated that he then proceeded to test and document the vulnerabilities in what he described as an ethical and responsible manner before reporting them.
The allegations surfaced shortly after CBSE disclosed that it had successfully defended its systems against a major cyberattack during the ongoing answer-sheet verification and re-evaluation process.
The Board had recently reported receiving more than 56,000 applications for verification and re-evaluation while simultaneously thwarting a large denial-of-service (DDoS) attack targeting its online infrastructure.
CBSE has also introduced Aadhaar-based authentication for certain services this year as part of efforts to strengthen security and ensure the authenticity of applications.
Meanwhile, questions regarding the Board’s digital infrastructure have continued following concerns raised about the On-Screen Marking system used in examination evaluation.
The controversy surrounding the OSM platform led to the transfer of senior CBSE officials earlier this week and the constitution of an inquiry committee to examine aspects of the system’s procurement and implementation.
When asked about reports of an FIR linked to cyber incidents affecting CBSE platforms, Adhikary said he was not concerned.
He clarified that the FIR pertained to a denial-of-service attack and maintained that neither he nor others involved in security research related to the portal had participated in such activities.
The ethical hacker said he had been in contact with individuals connected to cybersecurity communities and was confident in the legitimacy of his actions.
Adhikary also called for greater attention to cybersecurity reporting and stronger engagement with independent security researchers.
He argued that organisations should treat vulnerability reports more seriously and ensure that security audits and penetration testing are completed before launching digital platforms.
The allegations have not yet been independently verified, and CBSE has not publicly responded to the specific claims made in the interview.
However, the disclosures have once again highlighted growing concerns over cybersecurity, data protection and the security of digital education platforms that manage information belonging to millions of students across the country.
With investigations and reviews already underway into various aspects of CBSE’s digital systems, the latest claims are likely to add further scrutiny to the Board’s cybersecurity practices and technology governance framework.
