The Central Board of Secondary Education (CBSE) has announced the deployment of cybersecurity experts from various government agencies and the Indian Institutes of Technology (IITs) to fortify its digital infrastructure. This move comes in response to recent public allegations of significant security vulnerabilities within platforms linked to its On-Screen Marking (OSM) ecosystem.
The board's detailed statement addresses claims made by 17-year-old student Sarthak Sidhant and 19-year-old ethical hacker Nisarga Adhikary, who highlighted security weaknesses across several CBSE-associated portals.
Vulnerabilities in OnMark Portal Identified
CBSE confirmed that it has been closely monitoring reported vulnerabilities within the OnMark portal of its service provider. An expert team of cybersecurity professionals has been actively working to strengthen these systems, including transitioning them to more secure setups. The board stated, "The identified vulnerabilities have been contained, and other exploitable weaknesses are being ruled out."
Student Sarthak Sidhant had previously published a blog post alleging that "almost every single OnMark portal built by EduTek is fundamentally insecure." His claims included the use of weak passwords, such as "123456" for an administrative portal, outdated MD5 password hashes, and broader infrastructure weaknesses that potentially exposed student data.
Ethical Hacker Alleges Data Exposure
In parallel, ethical hacker Nisarga Adhikary claimed to have uncovered vulnerabilities in CBSE-linked platforms, asserting that examination-related files stored on cloud infrastructure were publicly accessible due to misconfigurations.
Earlier in the week, CBSE had initially refuted claims that its primary answer-sheet evaluation platform was compromised, clarifying that a referenced URL in social media posts was a testing portal with sample data, not the live evaluation system. However, the board's latest statement acknowledges vulnerabilities specifically within the OnMark portal of its service provider, signaling active remediation efforts.
Call for Further Inputs
The CBSE expressed gratitude to all alert citizens and ethical hackers for pointing out these weaknesses, noting that it has directly contacted some individuals. The board also urged others with further security inputs to reach out to its security teams at secy-cbse@nic.in.