Key facts
- The On-Screen Marking (OSM) portal for Class XII answer sheets was not thoroughly tested for functionality and security before deployment.
- An IIT panel auditing the CBSE's post-result ecosystem found multiple vulnerabilities in the portal.
- The panel's findings align with those of a 19-year-old ethical hacker who identified similar flaws.
- The IIT panel is expected to submit its report with recommendations to the Education Ministry soon.
- The CBSE currently lacks the in-house technical expertise to independently manage such large-scale digital systems.
A member of an IIT panel auditing the Central Board of Secondary Education's (CBSE) post-result system has stated that the On-Screen Marking (OSM) portal, utilized for evaluating Class XII answer sheets, did not undergo sufficient testing for functionality and security threats before its deployment.
The panel, formed after controversy surrounding the portal, is preparing to submit its findings and recommendations to the Education Ministry. Officials from IIT Madras and IIT Kanpur collaborated with CBSE and Digital India Corporation (DIC) to identify vulnerabilities within the CBSE's post-exam digital infrastructure.
Multiple security flaws were discovered in the original OSM portal, which had undergone an audit that the panel member described as not comprehensive enough. These vulnerabilities were also independently identified by 19-year-old ethical hacker Nisarga Adhikary, who noted issues such as OTP bypass and access to examiner accounts via a hardcoded password.
The IIT panel assisted in developing a new examiner-facing portal, built on the base code of the discontinued system, which is currently in use for answer sheet verification and re-evaluation. The panel member emphasized the need for rigorous security assessments, including penetration testing and Red Team-Blue Team exercises, for sensitive platforms.
Recommendations for deeper, multi-layered security audits will be included in the panel's report. While the ethical hacking incident exposed serious flaws, the panel member stated there is no evidence of student records being leaked or misused. The new portal is considered a "patchwork," and a more robust long-term solution is required. The panel member also noted that CBSE lacks the in-house technical expertise to manage such large-scale systems independently and must engage specialized external agencies, while retaining greater control over its data.