A teenager found he could change any student’s marks on India’s exam portal

For much of this exam season, the website that grades the most important tests in India appears to have trusted almost anyone who asked it the right way. A self-taught security researcher says he was able to sign in to the marking portal as any examiner, open the dashboards where answer scripts are reviewed, reset other graders’ passwords, and change the scores attached to students’ papers. The portal belongs to the Central Board of Secondary Education, the body whose Class 12 results decide which universities millions of Indian teenagers can attend.

Those scores are not a private matter between a student and a teacher. In India they are the currency of admission, and a difference of a single mark can move an applicant from one course to another or out of a university altogether. A system that lets an outsider quietly edit them is not a cosmetic bug. It reaches the fairness of the exam itself, the one part of the process students are told they can trust.

The most striking of the problems he describes is almost embarrassingly plain. A master password was written directly into the code that every visitor’s browser downloads to display the site. Anyone who opened that code and read it could use the password to walk straight past the one-time security codes meant to protect each account. In ordinary terms it is the equivalent of printing the master key on the welcome mat and hoping nobody looks down.

The other weaknesses compound the first. The site, he says, asked the visitor’s own browser to confirm who they were instead of checking on its servers. Pages meant only for signed-in graders could be reached by typing their address directly. A request to change a password did not require knowing the old one. Taken together, they meant the website was taking each user’s word for their identity, which is the cardinal mistake in web security, because anything running inside a browser can be rewritten by the person using it.

The scale is what makes the findings hard to wave away. The board affiliates more than 28,000 schools across India and others abroad, and the Class 12 examinations it administers are taken by millions of students every year. The marking software itself was built by an outside contractor whose platform is used by other education boards too, which means the questions the case raises stretch beyond a single organisation.

It also landed in the middle of an already tense results period. Students had been complaining in public about marks that looked wrong, scanned answer sheets that arrived blurred, and a portal that kept breaking under load. Against that backdrop, the claim that the same system could be opened with a password lifted from its own code turned a maintenance grievance into a question about integrity.

The board rejects the account entirely. In public statements the Central Board of Secondary Education said the web address circulating online was not the genuine evaluation portal, and that the system used to mark answer books had been neither compromised nor left vulnerable. The researcher answered with archived copies of the site’s code, a screen recording of the master password working, and evidence that the same password opened several related addresses on the same platform, material that is hard to square with the idea of a harmless test environment. None of it proves that any result was actually altered, and no tampered grade has been documented. The dispute is about whether it could have been, and for how long the door stood open.

From the outside, not every claim can be independently verified, and the safest reading treats the researcher’s account as a serious, well-evidenced allegation rather than a settled fact. What is not in question is that the technical findings were lodged with India’s national cyber-emergency team, and that a digital-rights organisation has since written to the Ministry of Education and that same agency asking for an independent audit of the portal and a clear account of who had access to it.

The site is Indian, but the lesson is not. Exam boards, licensing authorities and government services in nearly every market now run on the same kind of single-page web applications, and the same shortcut that caused the trouble here, letting code in the browser decide who is allowed in, is one developers everywhere are tempted to take. The uncomfortable detail is that the flaws described are not exotic. They are the sort a competent team could close in an afternoon, which is exactly what makes their presence in a national exam system so hard to explain.

The researcher says he first reported the problems to India’s cyber-emergency agency in late February and heard nothing substantive through three months that included the release of this year’s Class 12 results. He published the full account on his blog on 22 May, after concluding the warnings had been ignored, and flagged a further database vulnerability days later before the portal was taken offline. Whether the Ministry of Education orders the independent review now being demanded, and whether the contractor’s other clients examine their own systems, is the part of the story still unwritten.

Tags: Cybersecurity, account takeover, CBSE, CERT-In, Nisarga Adhikary, vulnerability disclosure