IIT Panel Reveals Security Gaps in CBSE's OSM Portal for Class XII Evaluation
An IIT panel member reveals that CBSE's On-Screen Marking portal lacked thorough security testing before deployment, exposing vulnerabilities in the system used to evaluate lakhs of Class XII answer sheets.
AC Team
The system used to check lakhs of Class XII answer sheets had serious security problems. An IIT panel member confirmed that the On-Screen Marking (OSM) portal was not tested properly before it went live.
The panel, set up after controversy around the OSM portal, will submit its findings to the Education Ministry soon. Experts from IIT Madras and IIT Kanpur worked with CBSE and other agencies like Digital India Corporation to find weak spots in the system.
What Went Wrong
The portal did go through an audit. A company hired by CBSE checked it and gave approval. But the checking was not deep enough. Many critical security holes remained hidden.
"It was not thoroughly tested. The auditing was not sufficient," the IIT panel member told ANI, speaking anonymously.
The portal was built and run by Coempt Eduteck, a private IT service provider now at the centre of the Class XII result controversy.
A Teenager Found What Experts Missed
Here's where it gets interesting. A 19-year-old ethical hacker from West Bengal named Nisarga Adhikary found several vulnerabilities that the official audit had missed. His findings matched what the IIT panel later discovered.
Nisarga spotted severe flaws. The system allowed OTP bypass. It had a hardcoded master password that could access examiner accounts. Someone could potentially view millions of students' answer sheets.
The panel member spoke with Nisarga and confirmed he downloaded some data during his ethical hack but deleted it. "We have not observed any evidence of records being leaked outside. It was an ethical hack," the member said.
What Should Have Been Done
Systems that handle sensitive student data need much stronger security checks. The IIT panel member explained that proper testing should include vulnerability assessment, penetration testing, and Red Team-Blue Team exercises.
Think of it like this: Red Teams act as attackers trying to break into the system. Blue Teams defend against these attacks. This back and forth helps find and fix weak points before real hackers can exploit them.
"Portals that are exposed to the external world need to be thoroughly tested for functionality, threats and security. We will be giving these recommendations more specifically in our report," the panel member said.
The Quick Fix and What Comes Next
After finding the problems, the IIT panel helped create a new portal using the base code of the old system. This new portal is now being used for verification and re-evaluation of answer sheets.
But the panel member described this solution as "a kind of patchwork." A stronger, long-term fix will be needed for future exams.
Can CBSE Do This Alone?
The board doesn't have the technical skills to build and manage such large systems on its own. It needs to work with outside agencies. But here's the key point: CBSE must keep control over its data.
"CBSE cannot do everything in-house and completely avoid involving third parties. It does not have that level of expertise. They need to engage with specialised organisations," the member explained.
The lesson is clear. When you work with outside vendors, you still need to own your data. And any platform handling exam records must go through complete security checks before students' futures depend on it.
What This Means for Students and Parents
Lakhs of students take Class XII exams every year. Their answer sheets contain personal information and determine their future education paths. A security breach could affect college admissions, scholarships, and career opportunities.
The good news is that no evidence suggests student records were leaked or misused in this case. The bad news is that the vulnerabilities existed in the first place.
The IIT panel's report will include detailed recommendations for deeper, multi-layered security audits. These suggestions will apply to all sensitive digital platforms used in education.
This incident serves as a wake-up call. As more education processes move online, security cannot be an afterthought. It must be built into systems from the start, with regular, thorough testing before deployment.
The new portal is running now. Students can get their papers rechecked. But the real work lies ahead in building a system that's secure from day one, not after problems are discovered by a curious teenager with coding skills.
