The Central Board of Secondary Education (CBSE) on Sunday said it has contained vulnerabilities identified in the OnMark portal of its service provider and is working with cybersecurity experts to further strengthen the system.The board also thanked ethical hackers and members of the public who brought the issues to its notice. “We are grateful to all alert citizens and ethical hackers pointing out such weaknesses, and have gotten in touch with some of them directly,” the statement said.The statement comes after 19-year-old ethical hacker Nisarga Adhikary alleged security flaws in CBSE’s digital evaluation ecosystem. In a blog post, Adhikary claimed he had identified multiple vulnerabilities in the On-Screen Marking (OSM) portal that could potentially allow unauthorised access to examiner accounts and evaluation functions.The board said it had been closely monitoring the issues that were recently flagged in the public domain.Also read: Teen hacker alleges CBSE answer sheets were exposed online“We have been closely monitoring the vulnerabilities in the OnMark portal of our service provider that are being flagged in the public domain,” CBSE said. According to the board, a team of cybersecurity experts drawn from different government agencies and Indian Institutes of Technology (IITs) has been deployed over the past few days to secure the platform and move it to a more robust setup.“An expert team of cybersecurity professionals has been deployed over the last few days from across various arms of the government as well as the IITs to fortify these systems, including taking them over to a more secure set up,” the board said..Earlier, CBSE had rejected claims that its actual evaluation platform had been compromised. The board said the URL highlighted in social media posts was only a testing portal containing sample data and not the system used for live evaluation work.In a post on Sunday, Adhikary alleged that an AWS bucket containing 2026 answer sheets and question papers could be accessed without authentication. “CBSE people didn’t configure their AWS bucket properly and now we can paginate & enumerate all their media which has 2026 answersheets & question papers. ListObjectsV2 works without any auth and the bucket root is listable too — anyone on the internet can download any scanned booklet — across institutions. Multiple institutions are using the same bucket, insanely insecure,” he wrote.Screenshots shared by Adhikary appeared to show scanned answer booklets arranged in a file directory.Congress leader Jairam Ramesh shared Adhikary’s post on X writing, “In today’s developments on Mantri Pradhan’s Ministry of Scandals, the answer sheets of 2 million CBSE Grade 12 students have been shown to be available in the public domain. This is a data breach of monumental proportions and it compromises the privacy of 2 million students,” Ramesh wrote.
