CBSE says OnMark portal ‘vulnerabilities’ are contained in security concerns

ByTech Word News

CBSE said it was grateful to alert citizens and ethical hackers who pointed out such flaws and contacted some of them directly. File | Photo credit: The Hindu

After public posts by ethical hackers revealed vulnerabilities in the Central Board of Secondary Education’s OnMark On-Screen Marking platform, the board said on Sunday (May 31, 2026) that the identified vulnerability “has been contained and other exploitable weaknesses have been ruled out”.

The CBSE also said it was “grateful” to alert citizens for pointing out “such weaknesses”.

“We have been closely monitoring the vulnerabilities on our service provider’s OnMark portal, which are marked as public. In recent days, a team of cyber security experts from various branches of the government and IITs (Indian Institutes of Technology) has been deployed to strengthen these systems, including adopting them into the ‘official statement on CBSE’s more secure setup in anbil’. They have been suppressed and other exploitable vulnerabilities are ruled out.”

CBSE’s statement comes after 19-year-old ethical hacker Nisarga Adhikary claimed to have hacked CBSE’s digital assessment ecosystem.

Speaking to The Hindu, Mr Adhikary said he felt “happy and satisfied” that the CBSE had finally acknowledged the vulnerability in its information technology (IT) ecosystem. “I sent my first report to CBSE on February 25 and within three to four days they took down the portal. Six to seven vulnerabilities were still active and exploitable later, but CBSE did not respond to my emails. This was quite frustrating. I noticed that CBSE has a poorly managed infrastructure and the passwords used were easy to guess,” said Mr. Adhikaka.

Earlier, CBSE had rejected claims that its assessment platform had been compromised. Mr Adhikary contested this claim.

On May 30, Mr. Adhikary managed to crack the CBSE main board on the On-Screen Marking platform. “The dashboard and portal contained 9.3 million columns and rows of sensitive student data, including images of student answer sheets, which were lying unprotected and easily tampered with,” Mr. Adhikary further said.

Mr. Adhikary alleged that there were data sovereignty issues related to the way COEMPT Eduteck (CBSE’s technology supplier) handled sensitive student exam data. He claimed that an Amazon Web Services (AWS) bucket containing 2026 answer sheets and question papers could be accessed without authentication.

“COEMPT should ideally have the data stored on its own servers, but they have taken the ‘cheap and easy route’ of storing answer sheets in public Amazon Web Services mailboxes without any security checks,” Mr. Adhikary said.

He further explained that sensitive data, including students’ personal data, was processed by Google’s Gemini in automation scripts prepared by quality assurance engineers from COEMPT.

Mr Adhikary called it “appalling” and “sad” when a third party sends such data to the US for processing. “Privacy laws are not being respected and they (the company) should be sued for doing this without the consent of the students,” he further said.

Published – 31 May 2026 16:48 IST