A 17-year-old student has brought to light alleged widespread security vulnerabilities within systems linked to India's Central Board of Secondary Education (CBSE), claiming that millions of student data could be at risk. Sarthak Sidhant, a Class 12 student, detailed multiple security lapses, including an administrative portal reportedly accessible with the alarmingly simple password "123456".
Allegations of Widespread Vulnerabilities
Sidhant's recent blog post, shared on X, asserts that "almost every single OnMark portal built by EduTek is fundamentally insecure." He specifically cited the discovery of default passwords, URL-based Remote Code Execution (RCE) vulnerabilities, and the use of raw MD5 hashes for password storage.
One of the most concerning claims involves an administrative portal linked to the OnMark system, developed by EduTek. Sidhant, collaborating with 19-year-old ethical hacker Nisarga Adhikary, reported gaining administrative access to this portal using "123456" as the password. This level of access, he argued, indicates a catastrophic lack of security baked into multiple OnMark-linked domains.
Outdated Encryption and Other Flaws
Beyond the default password, Sidhant also highlighted security weaknesses in the SARAS portal (CBSE's School Affiliation Re-Engineered Automation System), which he noted was built by a different vendor. His review revealed that SARAS stored administrator passwords as raw MD5 hashes. MD5 is an encryption method widely considered obsolete and highly vulnerable to brute-force attacks. Sidhant stated he responsibly disclosed this vulnerability, which was subsequently fixed.
These allegations follow Sidhant's earlier analysis of CBSE tender documents, which questioned the process by which EduTek (previously known as Globarena Technologies, a company linked to a 2019 examination controversy) secured the On-Screen Marking (OSM) contract.
CBSE's Response to Security Concerns
In response to earlier claims of publicly accessible examination files, CBSE rejected the notion that its actual evaluation platform was compromised. The board clarified that a URL cited in social media posts was merely a testing site containing sample data for internal review, not the live portal used for evaluating answer sheets.
"The Portal used for evaluation of answer-books bore a different URL, which has neither been compromised nor does it have the vulnerabilities indicated in the said social media post," CBSE stated, adding that "no security breaches have come to light on the Portal deployed for the actual evaluation work."
Despite CBSE's assurances regarding its live evaluation system, Sidhant's latest findings raise significant questions about the broader security posture of its linked systems and the protection of student data.