CBSE Re-evaluation Portal Goes Down
CBSE, while rejecting broader claims that the actual evaluation portal was hacked, has acknowledged that vulnerabilities in the OnMark portal of its service provider were being flagged in the public domain.
Hyderabad: CBSE’s Class XII re-evaluation portal remained inaccessible on Monday even after the window was postponed from May 29 to June 1. Students who had downloaded scanned copies and were waiting to question their scores were left checking a page that said the site was under updation or was unavailable. The Board later said the portal would go live “soon” and that an official announcement would follow, but the site remained inaccessible throughout the day.
“I wanted to get my Maths and Physics paper re-evaluated because there were several questions I answered correctly, but they did not give me proper marks,” said Sukriti Garg, Hyderabad student, adding, “This is just wasting so much of my time and diverting my focus. I am preparing for engineering, but every hour I end up checking the portal, and it only says the site is under updation.”
This delay is now a part of a larger dispute where cybersecurity researchers have alleged flaws in systems linked to OnMark, the service provider portal used for CBSE’s digital evaluation process.
CBSE, while rejecting broader claims that the actual evaluation portal was hacked, has acknowledged that vulnerabilities in the OnMark portal of its service provider were being flagged in the public domain. The Board’s May 31 statement said it had been “closely monitoring the vulnerabilities in the OnMark portal” and that an expert team of cybersecurity professionals had been deployed. It also said it had contacted some ethical hackers directly and asked others to send inputs.
A 19-year-old cybersecurity researcher Nisarga Adhikary, who was the first one to report the vulnerabilities on CBSE’s site, claimed on Monday that the “reevaluation site got taken down after I reported an open payment info endpoint to cert-in.”
Speaking to Deccan Chronicle about his hacking, Nisarga explained, “I have cross-checked the data with actual records, they match. For example, the teacher’s account I had hijacked for my initial research is an actual teacher at an actual Indian school who was tasked with checking papers.”
He said he could see dashboards and reports and claimed the access was broad enough to potentially affect student data. “I was able to act as an evaluator totally and could leverage broken access,” Nisarga said.
He also claimed that a hardcoded password in a JavaScript file could have allowed login without proper authentication. “It was reportedly patched after my initial reports, while other vulnerabilities continued to exist.”
Moutan Sarkar, a cybersecurity expert with a research background in information security at IIIT Hyderabad, said Nisarga and other cybersecurity researchers’ allegations were serious because the system dealt with student evaluation details, identity data and admissions-linked records.
“The alleged vulnerability is potentially very serious. If such flaws existed in any environment closely resembling production architecture, this is typically a high-severity and could be considered a critical risk,” Sarkar explained.
She added that the most concerning part, technically, was the claim that some vulnerabilities had been disclosed earlier through CERT-In channels but were not fixed. “Hardcoded credentials mean passwords, usernames, tokens, access strings, and keys were directly coded into the application code instead of being securely stored in a protected backend system or sensitive management tools. For a system handling students' evaluation details is a very critical risk,” she said.
Sarkar said even test portals cannot be treated lightly if they mirror production systems or share databases. “What if test environments are an intelligence source of prod to attackers. What if the test environment is not properly isolated? What if Test and prod are connected to the same database?” Sarkar said.
Additionally, Hyderabad-based Coempt EduTek has been linked with CBSE’s OSM contract, and CBSE rejected wrongdoing and said procurement rules were followed. “One of the biggest modern risks is not the core organisation itself, but the supply chain around it. Here it might be cloud providers, software vendors, hosting partners, scanning vendors, maintenance contractors, authentication providers and various other support teams,” said Sarkar. “A system is only as secure as its weakest vendor. Today, citizens increasingly expect audit mechanisms, data governance practices and security accountability.”