The On-Screen Marking (OSM) portal used to evaluate Class 12 answer sheets was not subjected to a sufficiently rigorous security review before it was launched, according to a member of the IIT panel examining the CBSE post-result ecosystem.
The expert committee, formed after concerns emerged over the OSM portal, is expected to submit its findings and recommendations to the Education Ministry in the coming days. Officials from IIT Madras and IIT Kanpur have been working alongside CBSE and the Digital India Corporation (DIC) to assess weaknesses in the board's digital evaluation infrastructure.
IIT Panel Identifies Security Weaknesses
During the review, the panel found multiple vulnerabilities in the OSM system. Following these findings, experts helped create a new examiner-facing portal using the base code of the discontinued platform. The revised system is currently being used for answer-sheet verification and re-evaluation processes.
According to the panel member, the original portal had undergone an audit before deployment, but the review was not comprehensive enough to detect all critical vulnerabilities.
"It was not thoroughly tested. It is not like it (the portal) was not tested, there was an auditor hired by CBSE who tested it and gave its go ahead and everything. But a through analaysis was not done, that should have been done. The auditing was not suficient," the member told ANI on condition of anonymity.
Findings Echo Concerns Raised by Ethical Hacker
The IIT panel's observations align with issues earlier highlighted by 19-year-old ethical hacker Nisarga Adhikary. Several vulnerabilities identified independently by him were also detected during the committee's assessment.
"The auditing was done, and some vulnerabilities were found, but several others were missed. Systems handling critical data require deeper and more rigorous security analysis," the panel member said.
Among the concerns raised were vulnerabilities that allegedly enabled OTP bypass mechanisms, access through a hardcoded master password, and potential exposure of answer-sheet records.
Call for Stronger Cybersecurity Measures
The panel has recommended advanced testing methods, including vulnerability assessments, penetration testing, and Red Team-Blue Team exercises, for digital platforms handling sensitive educational data.
"Cybersecurity operations involve offensive and defensive functions. There are Red Teams and Blue Teams that attempt to identify weaknesses and strengthen the system. All these mechanisms need to be employed to thoroughly examine a platform of this scale," the member said.
The expert also emphasised that stronger security reviews should become mandatory for public-facing platforms.
"Portals that are exposed to the external world need to be thoroughly tested for functionality, threats and security. We will be giving these recommendations more specifically in our report," the member said.
No Evidence of Student Data Leak
While acknowledging that serious vulnerabilities existed, the panel member clarified that investigators had not found evidence suggesting student records were leaked or misused.
"I spoke to Nisarga. He was able to download some data but deleted it. We have not observed any evidence of records being leaked outside. It was an ethical hack," the member said.
The expert further noted that the newly developed portal is only a temporary solution and that a more robust long-term system would eventually be required.
On the possibility of CBSE managing such platforms entirely on its own, the member said the board would continue to require support from specialised technology organisations.
"CBSE cannot do everything in-house and completely avoid involving third parties. It does not have that level of expertise. They need to engage with specialised organisations," the member said.
Summing up the lessons from the controversy, the panel member stressed the importance of stronger data governance and comprehensive security reviews.
"The first thing needed is that CBSE should have control over the data. There has to be a thorough security analysis, which was not done adequately in this case," the member said.
-
Ruben Amorim’s Two-Year AC Milan Deal Brings Financial Relief for Manchester United
-
England vs Croatia – World Cup Group L Preview and Team Updates
-
Stock Market Today: Sensex Gains 347 Points, Nifty Nears 24,100; Defence Stocks Rally
-
BOB Recruitment 2026: Applications open for Manager and Senior Manager posts; salary to exceed ₹1 lakh..
-
Freelander International announces dimensions of its first strategic model: Freelander 8
