How a 16-Year-Old in Dubai Exposed Security Gaps Across India's Three Biggest Exam Portals
In a single evening in June 2026, Rylen Anil found critical vulnerabilities in JEE Advanced, NEET, and CBSE OnMark portals and reported them responsibly. What this reveals about the state of India's examination infrastructure security.

The Night Three Portals Fell
In June 2026, a 16-year-old Class 12 student in Dubai spent roughly three to four hours probing the digital infrastructure behind India's most consequential examinations. By the time Rylen Anil — a Kerala-origin student with a passion for cybersecurity he had been cultivating since eighth grade — was done, he had documented critical vulnerabilities in three separate systems: the JEE Advanced 2026 results portal, the NEET examination system, and CBSE's OnMark evaluation platform.
He reported every finding to CERT-In, India's national cybersecurity response team, before saying anything publicly.
What he found — and how institutions responded — offers a diagnostic view of where India's examination infrastructure stands today, and what must change before the next crisis.
Three Systems, Three Different Failure Modes
JEE Advanced: Cloud Misconfiguration at Scale
The flaw in the JEE Advanced 2026 portal was the most quantifiable. A publicly accessible cloud storage bucket linked to the official results portal was misconfigured to allow unauthenticated listing and retrieval of files. The exposure included approximately 179,600 result records and 187,300 admit-card PDFs.
Data accessible without a password: candidate names, dates of birth, mobile numbers, and in some cases examination scores and ranks.
IIT Roorkee acknowledged the vulnerability, noted the data was stored in read-only mode, and initiated corrective action. The Ministry of Education stated no information had been compromised. Security professionals, however, note that read-only exposure of personal data still enables identity theft, targeted phishing, and counselling fraud — attacks that require only the ability to read, not modify, records. Reports emerged within days of individuals using accurate rank and score data to run convincing fraudulent counselling operations, contacting candidates by name and referencing their exact results to appear credible.
NEET: Weak Credentials on a Super-Admin Portal
The NEET system presented a different category of failure. Anil identified extremely weak credentials protecting the super-admin portal — credentials that, if exploited by a malicious actor rather than a researcher, would have permitted access to sensitive student and parental data across crores of registered candidates.
Weak or default administrative credentials are one of the most commonly documented and consistently ignored vulnerabilities in web applications. For a system managing the medical aspirations of over 22 lakh students, the gap between required security and operational security was significant.
CBSE OnMark: Guessable Credentials Touching Live Evaluation
The third finding, on CBSE's OnMark evaluation portal — made in collaboration with fellow ethical hacker Nisarga Adhikary — was operationally the most sensitive. The researchers found guessable credentials that could expose evaluator emails, usernames, passwords, and phone numbers. More critically, the vulnerability extended to live marking interfaces and answer scripts during active evaluation.
This is not merely a data privacy issue. Access to the marking interface carries the potential to interfere with scores, not just expose personal records. Additional technical analysis of the OnMark portal separately identified Insecure Direct Object Reference (IDOR) vulnerabilities where examiner and validator IDs were retrieved from browser session storage, and client-side rather than server-side OTP validation — textbook failures in secure authentication design.
The portal also reportedly used a shared cloud storage bucket across multiple institutions, meaning a single misconfiguration could simultaneously expose answer scripts from many different affiliating schools.
Responsible Disclosure in Practice
Anil's approach was methodical. He reported to CERT-In before going public, redacted personal details and photographs in any materials shared publicly, and limited his technical verification to downloading a small number of files which he subsequently deleted. When speaking to media, he was careful to clarify what had and had not been accessed, and to frame the issue as a structural problem requiring institutional reform.
"Major corporations like Google, Microsoft, Amazon, and Meta employ ethical hackers," he said in interviews published by Gulf News and other outlets. "The Indian government should do the same across all major platforms storing sensitive data."
Officials responded constructively. IIT Roorkee and NTA acknowledged the disclosures and thanked him publicly. Emergency fixes were implemented across all three systems. The education ministry stated that no exam outcomes, marks, or candidate information had been permanently compromised.
The Pattern Behind Three Independent Failures
The fact that similar vulnerabilities existed across three separate systems — run by three different organisations — points to a structural pattern rather than isolated oversights.
Security treated as an afterthought. Examination platforms are typically evaluated during procurement on feature sets, processing capacity, and user interface. Security audit requirements are often absent from or weakly specified in tender documents. A platform can clear a procurement process without ever undergoing a penetration test.
Cloud configuration debt. Misconfigured cloud storage is among the most common enterprise security failures globally. In India's public sector technology stack, where rapid digitisation frequently outpaces security governance, these misconfigurations can survive for months or years before detection.
Shared infrastructure amplifies risk. When multiple institutions share a single cloud storage configuration, one misconfiguration does not expose one institution's data — it exposes every institution's data simultaneously.
No formal bug bounty or disclosure programmes. None of the three systems had a public responsible disclosure policy or bug bounty programme. Vulnerabilities that a researcher like Anil is willing to report for free may alternatively be exploited or sold if no formal channel exists and the discovery carries legal ambiguity.
What Needs to Change
For institutions operating examination platforms — whether affiliating universities, state boards, or national testing bodies — the Rylen Anil findings translate into a concrete security checklist.
| Area | Minimum Requirement |
|---|---|
| Cloud storage | No public bucket access; enforce least-privilege IAM policies; regular configuration audits |
| Administrative credentials | Strong unique passwords; multi-factor authentication on all admin portals |
| Authentication architecture | Server-side OTP and session validation; no credential logic in browser storage |
| Vulnerability disclosure | Published responsible disclosure policy with named contact channel |
| Pre-launch security audit | Mandatory penetration testing before each major exam cycle |
| Data minimisation | Collect and retain only what is operationally required; archive or purge old records on schedule |
Under India's Digital Personal Data Protection Act (DPDP Act) 2023, examination bodies processing student data are classified as data fiduciaries with defined obligations around security safeguards, purpose limitation, and breach notification to the Data Protection Board. A publicly accessible cloud bucket containing exam records, result data, and admit card PDFs would constitute a personal data breach requiring disclosure once the Board becomes operational.
The Case for a Government Bug Bounty Programme
India's technology sector has produced world-class security professionals. Many of them begin their careers identifying vulnerabilities long before formal employment — exactly as Rylen Anil has done. A structured government bug bounty programme for examination infrastructure would create a legitimate, compensated channel for this talent to contribute to national security before malicious actors exploit the same gaps.
The precedent exists. The US federal government operates a Vulnerability Disclosure Policy framework. Several EU member states have run bug bounty pilots for public digital infrastructure. India's own Ministry of Electronics and Information Technology has discussed similar frameworks for critical digital public infrastructure.
The cost of running a bug bounty programme covering JEE, NEET, CBSE, and state board examination platforms is a fraction of the cost of a single exam cancellation, revaluation crisis, or breach investigation involving crores of candidate records.
Conclusion
Rylen Anil spent three to four hours finding what multiple organisations, vendors, and security teams had not. He reported before going public. He asked for systemic change. The vulnerability that allowed 1.79 lakh JEE Advanced candidate records to be listed without authentication was not exotic — it was a misconfigured cloud bucket. The NEET super-admin had weak credentials. The CBSE OnMark portal had client-side authentication checks.
These are not sophisticated failures. They are foundational ones. And their existence across three of India's highest-stakes examination systems in a single year is a signal that examination infrastructure security requires the same sustained attention as examination conduct security.
Related Reading
Ready to digitize your evaluation process?
See how MAPLES OSM can transform exam evaluation at your institution.