CBSE's OnMark Portal Was Hacked Twice: What Digital Evaluation Must Get Right on Security

The Breach That No One Was Supposed to Find

In May 2026, as India processed the results of its most ambitious digital examination experiment, a 19-year-old named Nisarga Adhikary discovered something alarming: the OnMark portal — the platform CBSE used to host, manage, and evaluate over five million Class 12 answer scripts — was publicly accessible in ways it should never have been.

Adhikary's findings were specific and technical. An Amazon Web Services (AWS) S3 storage bucket linked to the evaluation platform could be accessed without any authentication. The ListObjectsV2 API endpoint was open to the public, allowing anyone to enumerate and download scanned answer booklets and question papers from the 2026 examination cycle. No login. No token. No verification.

That was the most serious flaw, but not the only one.

What the Hacker Found

The vulnerabilities disclosed by Adhikary represented a cascade of security failures:

Unsecured cloud storage. The AWS S3 bucket root was listable by any user who knew the endpoint. Scanned answer sheets — containing the handwritten responses of millions of students — were effectively browseable and downloadable without authentication.

Hardcoded master password. A master password was embedded directly in code that was publicly accessible. This is a fundamental violation of secure coding practice: anyone who could read the codebase could authenticate as a privileged administrator.

Exposed OTPs. One-time passwords, used as a second authentication factor, were visible in browser responses without any prior authentication requirement — rendering them useless as a security layer.

Unrestricted password reset. The platform allowed any user to reset any examiner's password without verification. Access to any evaluator's account could be trivially gained by anyone who knew an examiner's registered email address.

The portal was reportedly breached twice before CBSE acknowledged the vulnerabilities and took corrective action. CBSE subsequently deployed cybersecurity experts from IIT Madras, IIT Kanpur, and government agencies to audit and fortify the system.

Why This Happened

Security failures of this kind rarely result from a single decision. They emerge from systemic pressures: tight procurement timelines, insufficient security testing, the assumption that obscurity substitutes for access control, and the underestimation of what bad actors can do with publicly exposed endpoints.

CBSE moved from a physical evaluation model to a full-scale digital platform in a single examination cycle, covering approximately 5.6 million students in Class 12 alone. The procurement process began with a Request for Proposal in August 2025. By February 2026, the platform was operational at national scale. That is a compressed timeline for a system handling data of this sensitivity.

The CBSE OSM exercise was already under scrutiny from multiple directions — blurred scans, missing pages, wrong answer sheets uploaded against incorrect roll numbers, portal crashes during the re-evaluation application window — when the security vulnerabilities emerged. The hacker disclosure compounded what had already become a difficult first year for India's largest digital evaluation initiative.

The Regulatory Dimension: DPDP Act 2023

India's Digital Personal Data Protection Act, 2023 (DPDP Act) places explicit obligations on institutions handling personal data of students. Examination records — including handwritten answer sheets — constitute personal data. An S3 bucket configured to allow unauthenticated enumeration and download of such records would, if exploited maliciously, represent a significant legal exposure.

CBSE did not confirm that malicious actors accessed the exposed data before Adhikary's disclosure. But the gap between "a 19-year-old can find this in days" and "malicious actors are not already aware of it" is not one any institution should rely on.

Under the DPDP Act, data fiduciaries — which include examination boards and universities — are required to implement reasonable security safeguards proportional to the sensitivity of the data they hold. An unauthenticated S3 bucket holding millions of answer sheets would not qualify as a reasonable safeguard under any interpretation.

What Secure Digital Evaluation Architecture Looks Like

The CBSE experience defines a set of architectural requirements that any institution adopting digital evaluation should treat as non-negotiable:

Storage access controls. Answer sheet images and evaluation data must be stored with strict access policies. No S3 bucket containing examination data should allow public listing or anonymous access. Signed, time-limited URLs should be used for any authorised access, with access logs retained and audited.

Secret management. Credentials, master passwords, and API keys must never appear in application code or any publicly accessible repository. Secret management services (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault, or equivalent) exist precisely for this purpose. A vendor that embeds secrets in code is not operating at a professional standard.

Authentication integrity. OTPs and session tokens must be generated server-side and transmitted only through secure, authenticated channels. Exposing authentication values in browser responses negates their purpose entirely.

Penetration testing before go-live. A platform handling the examination records of millions of students must undergo formal penetration testing — by external testers not affiliated with the development vendor — before it handles any live data. This should be a contractual requirement, not an optional add-on.

Vendor security standards in the RFP. Procurement specifications must include explicit, verifiable security requirements:

What This Means for Universities and State Boards

Several state boards — including Punjab and Maharashtra — are actively evaluating or piloting on-screen marking. Each will face procurement decisions. The CBSE experience provides a direct lesson: security requirements must be embedded in procurement specifications from the outset, not retrofitted after a public disclosure.

Universities running their own digital evaluation infrastructure face the same risk profile. An autonomous institution evaluating 30,000 answer scripts per semester may not attract the public attention CBSE does, but the data is equally personal, equally regulated under the DPDP Act, and equally vulnerable to misconfiguration.

State boards and universities should require prospective OSM vendors to provide:

The Positive Reading

Nisarga Adhikary's disclosure was an act of responsible ethical research. The vulnerabilities were reported to CBSE before (as far as is publicly known) any malicious actor exploited them at scale. The IIT teams deployed in response have presumably remediated the critical issues.

The incident also generated something valuable: a public, detailed account of exactly what went wrong in India's first large-scale digital evaluation deployment. State boards and universities now have a checklist of what to verify before any vendor operates their examination data.

That checklist did not exist a year ago. CBSE's painful first year has made it available to every institution that comes after.

A Question Every Institution Should Ask

The CBSE OnMark portal handled data for 5.6 million students and still shipped with an unauthenticated S3 bucket and hardcoded master password. This was not a resource-constrained institution running a small system. It was India's largest exam board deploying at national scale.

Any institution building or procuring digital evaluation infrastructure should ask a direct question to their current or prospective vendor: could a determined and technically skilled teenager find in our system what Nisarga Adhikary found in OnMark?

If the answer is uncertain, procurement specifications need revision before a single answer sheet goes digital.

Related Reading