Nineteen-year-old ethical hacker Nisarga Adhikary revealed vulnerabilities in the CBSE portal, pointing out that he identified flaws within just 20 minutes. Adhikary raised concerns about the accessibility of answer sheets and question papers stored online on an AWS bucket, sparking discussions on CBSE’s digital security. His disclosures about vulnerabilities in CBSE-linked platforms have stirred a national debate on the Board’s technology infrastructure.
Adhikary, with a background in security research, discovered the public access to the CBSE portal and delved into its front-end code, uncovering a master code password allowing access to evaluator accounts. Despite reporting 45 vulnerabilities to CBSE, including the master password issue, Adhikary received no response. Following the declaration of results, he publicly disclosed additional vulnerabilities granting access to millions of scanned answer sheets and databases.
When questioned about breaching CBSE’s security protocol, Adhikary highlighted the lack of proper auditing and security measures in place. He emphasized the ease with which he identified vulnerabilities, taking only about 20 minutes to pinpoint the weaknesses. CBSE’s response included filing an FIR over attacks on its portal, although Adhikary clarified that no DDoS attacks were conducted by him or his associates.
Adhikary expressed his lack of concern regarding the FIR, stating his confidence due to connections within the cyber community and CBSE. He recommended that CBSE take security reports more seriously, emphasizing the need for audits and vulnerability assessments before launching digital platforms. Adhikary urged CBSE to enhance its cybersecurity practices by seeking advice from experts and prioritizing security measures in the future.
