CBSE Marking Portal Hack Claim

A 19-year-old student, Nisarg Adhikari, has claimed that he hacked the CBSE website easily. Nisarg is a cyber security researcher. Nisarg’s blog has been posted by entrepreneur DD Das on his Twitter account.

Nature had alerted in February itself

Nisarg said in its blog that it had also alerted the Government of India’s cyber security agency ‘CERT In’ in February 2026. Issues like accessing board exam data on CBSE portal can also be easily viewed without the help of any password. The password used here is also just a name.

Nisarga claims that it easily got access to the entire portal.

Many flaws in CBSE’s onscreen marking portal

Nisarg’s post released on May 22 claimed that there are many flaws in the CBSE onscreen marking portal. Even after Nisarg alerted CERT in February 2026, no action was taken on this subject.

On May 26, DD Das made Nisarg’s post viral on Twitter and wrote that anyone can view or change the marking scheme on the CBSE website.

CBSE OSM Portal Public

Nisarg said in his blog that CBSE’s OSM portal (where teachers check copies online) was completely public. He was surprised when he looked at the coding system of the website.

According to Nisarg, only three things were asked on the login page, user ID, school code and password followed by OTP. Everything looked normal from the outside but the real game was inside the coding.

It is very easy to view the password on the portal

The biggest flaw in the portal was that one of its master passwords was openly stored in a part of the coding. Anyone could see this easily. Nisarg claimed that by using the master password on the CBSE portal, the need for OTP was eliminated.

After that, the account of any examiner (teacher checking copies) could be easily accessed. For this only a user ID and school code was required which is easily available on the internet.

Lack of proper protection route on portal

According to Nisarg, there are many more internal routes in this application where there is no proper protection route. Dashboard, Profile, Eval Scripts View and Verification released on CBSE portal can be easily viewed by going to the dashboard browser storage.

Anyone can tamper by posing as an examiner

In this way, the entire account could be controlled by just giving a few commands without entering the real password. Due to this mistake, any user could tamper with the copies by posing as an examiner.

Easy to log in without entering OTP

The OTP system of the portal was just a sham. That means the OTP that should come on your phone could be seen on the website itself. With a little cleverness, any user could login without entering OTP.

CBSE portal has become a topic of discussion among users after DD Das released the post on his Twitter account. CBSE has 33 thousand schools in India. There is no shortage of these schools even in foreign countries. Therefore, the impact of this examination system affects lakhs of students.

—————

Make Dainik Bhaskar your favorite source on Google ➔