CBSE Hacking Row Explodes: Board Denies OSM Breach, Teen Hacker Disputes ‘Testing Site’ Claim

New Delhi: The Central Board of Secondary Education (CBSE) has released a clarification following widespread criticism of accusations that its On-Screen Marking (OSM) portal was hacked by a 19-year-old self-taught cybersecurity enthusiast.   

The controversy erupted after Nisarga Adhikary claimed to have discovered severe flaws in the system related to the evaluation and processing of Class 12 board results for nearly two million pupils. The problem escalated after the CBSE website momentarily went down on Tuesday, causing fury online and increasing fears about the security of students' data and grades. 

However, CBSE has recently clarified that the portal allegedly accessed by the hacker was not the actual evaluation system for reviewing answer sheets.

‘Only A Testing Site, No Real Marks Data’: CBSE

In its clarification, CBSE said the URL mentioned in the hacking claims, cbse.onmarks.co.in,  was only a testing portal used internally with sample data.

“At the outset, it is clarified that the Portal used for evaluation of answer-books bore a different URL, which has neither been compromised nor does it have the vulnerabilities indicated in the said social media post," the CBSE said.

“The URL: http://cbse.onmarks.co.in is the testing site only with sample data for internal testing and review purposes. There are no actual evaluation data, marks or other data held on that portal. The Board emphasises that no security breaches have come to light on the Portal deployed for the actual evaluation work."

The Board further stated that the OSM system was implemented this year to increase transparency in the evaluation process, and that stringent protections are in place to secure the operational platform utilized for actual assessments. 

CBSE further stated that no vulnerabilities affecting the actual evaluation process have been reported thus far.

Hacker Says He Warned Authorities Months Ago

Before the clarification, Nisarga Adhikary published a thorough blog post outlining how he supposedly uncovered various security holes in the platform. According to him, he notified authorities about three months ago, but only part of the difficulties were resolved.

He claimed the portal exposed a “master password” inside a publicly accessible JavaScript file. According to Adhikary, anyone downloading the code could allegedly access the password and bypass the OTP authentication process.

“The login page asks for three things: a user ID, a school code, and a password, followed by an OTP step. Nothing about that screen looks unusual. The problems only showed up once I stopped looking at the page and started looking at the code behind it," Adhikary wrote.

He further claimed, “Anyone exploiting these could also tamper with or disrupt the grading process, which directly threatens the integrity of the exam evaluations."

The issue gained wider attention after tech investor Deedy Das reacted strongly on X, calling the situation “an absolute embarrassment" and saying the futures and lives of millions were in the hands of the “utterly incompetent".

Debate Continues Even After CBSE Clarification

Despite CBSE's clarification that the compromised URL belonged only to a testing environment, the student later alleged that the new URL supplied by the Board still contained technical flaws. 

That accusation has fueled the discussion over cybersecurity preparation, digital monitoring, and transparency in one of India's largest examination systems.

The OSM method, which CBSE implemented this year as part of its digital push, has already been the subject of controversy in recent weeks in response to student complaints about answer sheet access and re-evaluation procedures. CBSE has stated that the actual evaluation platform is secure and that no genuine marks or assessment data have been stolen.