A recent revelation by a 19-year-old ethical hacker has put the Central Board of Secondary Education (CBSE) under scrutiny regarding the security of its digital infrastructure. Nisarga Adhikary alleged that sensitive examination materials, including answer sheets and question papers, were publicly accessible online due to improper configuration of a CBSE-linked Amazon Web Services (AWS) bucket.
Adhikary detailed his findings in a post on X, stating that the AWS storage system allowed unauthenticated users to browse and download a significant volume of examination-related files. He wrote, "CBSE people didn't configure their AWS bucket properly, and now we can paginate and enumerate all their media, which has 2026 answer sheets and question papers." The hacker described the setup as "insanely insecure," emphasizing that anyone with internet access could download scanned booklets.
Details of the Vulnerability
According to Adhikary, the vulnerability stemmed from the AWS bucket permitting the ListObjectsV2 operation without any authentication. This allowed individuals to list all files within the bucket's root directory and subsequently access and download scanned answer booklets from various institutions. The exposure of such critical academic documents raises significant concerns about data privacy and the integrity of the examination process.
Broader Context: The OSM Controversy
These new allegations compound existing controversies surrounding the CBSE, particularly following the recent On-Screen Marking (OSM) system. That debate initially involved widespread complaints from students and parents about blurred answer sheets, missing pages, and evaluation errors during the Class 12 examinations.
The OSM controversy escalated when another student, 17-year-old Sarthak Sidhant, reviewed numerous CBSE tender documents. Sidhant alleged that modifications to eligibility and security requirements across successive bidding rounds might have unfairly benefited Hyderabad-based Coempt Eduteck in securing the OSM contract. Coempt Eduteck, he claimed, was previously known as Globarena Technologies, a company linked to the 2019 Telangana Intermediate Examination controversy, where software and evaluation issues reportedly affected thousands of students' results and were associated with multiple student suicides.
The current allegations by Nisarga Adhikary further intensify the pressure on CBSE to address its digital security practices and ensure the safeguarding of sensitive student data and examination materials.