Student Claims Marking Portal Hack, CBSE Denies
When lakhs of CBSE students are already worried about the re-evaluation portal crash, blurred answer sheet complaints and incorrect marks, parents said the hacking of the website has further shaken their confidence in the security of the online systems.
Hyderabad: The alleged hacking of the CBSE On Screen Marking (OSM) system by a 19-year-old Nisarga Adhikary, which was denied by the CBSE on Tuesday, has shocked educationists and students, raising serious concerns about the exam system and its impact on students’ mental well-being. The CBSE later in the day denied that this was possible and said its portal was safe.
Writing in his blog, Adhikary said that he first found vulnerabilities on February 25 and reported them to CERT-in, the Indian Computer Emergency Response Team of the Union ministry of electronics and information technology. He claimed several critical vulnerabilities in the OSM portal could lead to full account takeover of examiner accounts and change students' marks. He also said that the problems were far bigger than expected.
The security lapses in the portal that he mentioned in his blog were a master password left in source code, fake OTP authentication, no access controls, password changes without verification, and server trusts unverified user IDs.
When lakhs of CBSE students are already worried about the re-evaluation portal crash, blurred answer sheet complaints and incorrect marks, parents said the hacking of the website has further shaken their confidence in the security of the online systems.
The board on Tuesday clarified that the portal used for evaluation bore a different URL, which has neither been compromised nor have the vulnerabilities indicated in the said social media post. The URL cited by the student, cbse.onmarks.co.in, was the testing site only with sample data for internal testing and review purposes. There are no actual evaluation data, marks or other data held on that portal. The Board emphasises that no security breaches have come to light on the Portal deployed for the actual evaluation work.
Responding to the CBSE clarification on ‘X’, Nisarga stated, “If the portal only contained test data, “how was I able to log in with prod user data completely?” He claimed to possess screen recordings and proof of CERT-In acknowledging it.
He alleged similar vulnerabilities existed on multiple subdomains, including cbse1.onmark.co.in, cbse2.onmark.co.in, cbse3.onmark.co.in, and cbse4.onmark.co.in. Nisarga also claimed that he had visual proof showing access to what he described as non-test production data through the portal. There was no further CBSE clarification on the latest allegations at the time of going to print.
According to academic Rekha Rao Ch., “The technology is so advanced that anything can happen.” She said mistakes at this point cannot be taken lightly, and a mere apology is not enough.”
Educationists said the issue would negatively affect students and damage their confidence.
“Before using the technology in real time, the CBSE should have tested it properly,” said A.N.S. Shankar Rao, lecturer. A student, Tarun Prakash, said that the hacking allegations showed negligence.
Anubha Shrivastava Sahai, advocate and president of the India Wide Parents Association, said the latest allegations have shaken trust in the 2026 Class XII examination process itself and with the daily developments, the integrity of the exam also comes under scrutiny.
CBSE should not have done this experiment without any trial, he said.
Referring to claims made online by a student who said he had alerted CBSE months ago about loopholes in the portal, she said authorities should have “rectified it” instead of proceeding with the new marking system. “Now we don’t trust the marking scheme of this particular exam because we don’t know whether the marks students have scored are genuine or not.”
Sahai also criticised online abuse directed at students, raising concerns publicly. “The moment anybody raises their voice on social media, people start trolling them, calling them anti-Indian or Pakistani. If a student is pointing out loopholes in the system, authorities should listen instead of ignoring them,” she said.
While the CBSE clarified that post made by a user on social media, it has been claimed that the CBSE On-Screen Marking (OSM) bearing URL: cbse.onmarks.co.in was compromised by him on February 26.
