Last Updated:
Hacker revealed multiple severe security flaws in the system, reporting the vulnerabilities to authorities over three months ago, yet only partial fixes were implemented.
Tech investor and prominent X voice Deedy Das amplified the story, calling it “an absolute embarrassment.”
The Central Board of Secondary Education (CBSE) is already facing severe backlash over the 2026 Class 12 board results, with thousands of students reporting unexpectedly low marks, mental stress, and serious evaluation errors. Many parents and students have taken to social media alleging that the new On-Screen Marking (OSM) system failed them.
Now in a viral video, a 19-year-old self-taught hacker has revealed critical security vulnerabilities in the very same OSM portal, the system responsible for evaluating and processing results of over two million students.
In a detailed and responsible disclosure, Nisarga Adhikary revealed multiple severe security flaws in the system. He reported the vulnerabilities to authorities three months ago, yet only partial fixes were implemented. On Tuesday, the CBSE website was taken offline entirely, triggering massive online outrage and embarrassment for the national examination body.
Tech investor and prominent X voice Deedy Das amplified the story, calling it “an absolute embarrassment.” According to Nisarga’s technical blog, the breaches included:
- A master password leaked in client-side JavaScript code
- Bypass of client-side 2FA/OTP validation
- Tokenless access to the entire internal admin dashboard
- Ability to change any user’s password without knowing the old one
- IDOR (Insecure Direct Object Reference) vulnerability allowing anyone to impersonate users and edit exam marks
Deedy noted that these issues persisted despite his own warnings about similar (though less severe) vulnerabilities more than a decade ago. “The futures and lives of millions rest in the hands of the utterly incompetent,” he wrote.
A 19-year old broke into India’s largest high school examination system of 2M+ students a year, the CBSE, and was able to view and CHANGE any students’ marks.He responsibly wrote to the team 3 months ago, and it took them 3 days to fix only one of the issues. Today, they took… pic.twitter.com/6FR2wAFQgB
— Deedy (@deedydas) May 26, 2026
Internet Reacts Aggressively
The story triggered a storm of reactions across social media. One user quipped, “8:00am: Indian parents demand 99%. 8:05am: bypass client-side 2FA. 8:06am: IDOR into master DB… you eat dal chawal and skip college.”
Another remarked, “Master password in a client-side JS file is security 101 failure. The bigger problem is 3 months of silence after responsible disclosure.”
Several users expressed deep concern for students, “Imagine studying 14 years for board exams just for some teenager with Firefox DevTools to decide your future.” Others targeted systemic issues, “This is what happens when L1 bids and IAS babus handle critical tech projects.” Many praised the young hacker’s talent, with one saying, “A 19yo who never went to college can do things 99% of top engineers couldn’t figure out.”
Calls for accountability grew loud, with users tagging the Education Ministry and questioning the lack of mainstream media coverage.
While there is no evidence that the vulnerabilities were exploited maliciously, the incident has raised serious questions about the security standards of platforms handling high-stakes national examinations. Nisarga stressed in his blog that “the client cannot be trusted, ever,” and that these were basic security mistakes.
CBSE is said to have taken parts of the portal offline for fixes. As students and parents continue to demand transparency on both evaluation fairness and digital security, this episode underscores the urgent need for robust safeguards in India’s education infrastructure.
Read More
