MCM
  • TV
  • Movies
  • Tech
  • Music
  • Business
  • Science
  • FIFA World Cup 2026
    • News
    • Groups
    • Calendar
    • Teams
    • Statistics
    • Stadiums
  • Art
  • More
    • Theater
    • Books
    • Style
    • People
    • History
    • Worldwide News
    • Health
    • Sports
    • Motor
  • English
    • English
    • Español
    • Deutsch
    • Français
    • Dansk
    • हिन्दी
    • Italiano
    • 日本語
    • 한국어
    • Norsk bokmål
    • Polski
    • Português (PT)
    • Português (BR)
    • Română
    • Русский
    • Svenska
    • Türkçe
    • Tiếng Việt
    • 简体中文
    • 繁體中文
    • Español (Latinoamérica)
MCM
  • TV
  • Movies
  • Tech
  • Music
  • Business
  • Science
  • FIFA World Cup 2026
    • News
    • Groups
    • Calendar
    • Teams
    • Statistics
    • Stadiums
  • Art
  • More
    • Theater
    • Books
    • Style
    • People
    • History
    • Worldwide News
    • Health
    • Sports
    • Motor
  • English
    • English
    • Español
    • Deutsch
    • Français
    • Dansk
    • हिन्दी
    • Italiano
    • 日本語
    • 한국어
    • Norsk bokmål
    • Polski
    • Português (PT)
    • Português (BR)
    • Română
    • Русский
    • Svenska
    • Türkçe
    • Tiếng Việt
    • 简体中文
    • 繁體中文
    • Español (Latinoamérica)

Press Enter to Search

Cybersecurity

A teenager found he could change any student’s marks on India’s exam portal

A teenager found he could change any student’s marks on India’s exam portal
Photo: Yann / Wikimedia Commons (CC BY-SA 4.0)
Susan Hill
By Susan Hill
31 May 2026, 12:07 pm · 4 min read

For much of this exam season, the website that grades the most important tests in India appears to have trusted almost anyone who asked it the right way. A self-taught security researcher says he was able to sign in to the marking portal as any examiner, open the dashboards where answer scripts are reviewed, reset other graders’ passwords, and change the scores attached to students’ papers. The portal belongs to the Central Board of Secondary Education, the body whose Class 12 results decide which universities millions of Indian teenagers can attend.

Those scores are not a private matter between a student and a teacher. In India they are the currency of admission, and a difference of a single mark can move an applicant from one course to another or out of a university altogether. A system that lets an outsider quietly edit them is not a cosmetic bug. It reaches the fairness of the exam itself, the one part of the process students are told they can trust.

The most striking of the problems he describes is almost embarrassingly plain. A master password was written directly into the code that every visitor’s browser downloads to display the site. Anyone who opened that code and read it could use the password to walk straight past the one-time security codes meant to protect each account. In ordinary terms it is the equivalent of printing the master key on the welcome mat and hoping nobody looks down.

Recommended ReadingThe first generation raised on no-rejection intimacy is starting to fail at work and at love
The first generation raised on no-rejection intimacy is starting to fail at work and at love

The other weaknesses compound the first. The site, he says, asked the visitor’s own browser to confirm who they were instead of checking on its servers. Pages meant only for signed-in graders could be reached by typing their address directly. A request to change a password did not require knowing the old one. Taken together, they meant the website was taking each user’s word for their identity, which is the cardinal mistake in web security, because anything running inside a browser can be rewritten by the person using it.

The scale is what makes the findings hard to wave away. The board affiliates more than 28,000 schools across India and others abroad, and the Class 12 examinations it administers are taken by millions of students every year. The marking software itself was built by an outside contractor whose platform is used by other education boards too, which means the questions the case raises stretch beyond a single organisation.

It also landed in the middle of an already tense results period. Students had been complaining in public about marks that looked wrong, scanned answer sheets that arrived blurred, and a portal that kept breaking under load. Against that backdrop, the claim that the same system could be opened with a password lifted from its own code turned a maintenance grievance into a question about integrity.

The board rejects the account entirely. In public statements the Central Board of Secondary Education said the web address circulating online was not the genuine evaluation portal, and that the system used to mark answer books had been neither compromised nor left vulnerable. The researcher answered with archived copies of the site’s code, a screen recording of the master password working, and evidence that the same password opened several related addresses on the same platform, material that is hard to square with the idea of a harmless test environment. None of it proves that any result was actually altered, and no tampered grade has been documented. The dispute is about whether it could have been, and for how long the door stood open.

From the outside, not every claim can be independently verified, and the safest reading treats the researcher’s account as a serious, well-evidenced allegation rather than a settled fact. What is not in question is that the technical findings were lodged with India’s national cyber-emergency team, and that a digital-rights organisation has since written to the Ministry of Education and that same agency asking for an independent audit of the portal and a clear account of who had access to it.

The site is Indian, but the lesson is not. Exam boards, licensing authorities and government services in nearly every market now run on the same kind of single-page web applications, and the same shortcut that caused the trouble here, letting code in the browser decide who is allowed in, is one developers everywhere are tempted to take. The uncomfortable detail is that the flaws described are not exotic. They are the sort a competent team could close in an afternoon, which is exactly what makes their presence in a national exam system so hard to explain.

The researcher says he first reported the problems to India’s cyber-emergency agency in late February and heard nothing substantive through three months that included the release of this year’s Class 12 results. He published the full account on his blog on 22 May, after concluding the warnings had been ignored, and flagged a further database vulnerability days later before the portal was taken offline. Whether the Ministry of Education orders the independent review now being demanded, and whether the contractor’s other clients examine their own systems, is the part of the story still unwritten.

Tags: Cybersecurity, account takeover, CBSE, CERT-In, Nisarga Adhikary, vulnerability disclosure

Share This Post

More Like This

A scan of 380,000 vibe-coded apps found thousands with no authentication at all

A scan of 380,000 vibe-coded apps found thousands with no authentication at all

Claude found 10,000 critical bugs in a month — humans are now the bottleneck

Claude found 10,000 critical bugs in a month — humans are now the bottleneck

CISA, the agency that defends US federal networks, left its own AWS keys on GitHub

CISA, the agency that defends US federal networks, left its own AWS keys on GitHub

Meta’s AI Reset Instagram Passwords for Hackers Who Just Asked

Meta’s AI Reset Instagram Passwords for Hackers Who Just Asked

OnlyFans denies a 340-million-record breach, and so does the hacker selling it

OnlyFans denies a 340-million-record breach, and so does the hacker selling it

Supreme Court rules police need a proper warrant to pull your location from Google

Supreme Court rules police need a proper warrant to pull your location from Google

Discussion

There are 0 comments.

Most Read

  • 1
    Movies Michelle Keegan’s Private Motherhood Is a Comeback, Not a Retreat
  • 2
    Tech Products Google Pixel 11 Pro: higher price, thinner upgrade, and AI the base model can’t fully run
  • 3
    Movies Nothing to Lose on Netflix: how far a mother goes when no donor matches her son
  • 4
    Movies Stephen Chow ends a seven-year silence with a $74M ‘Kung Fu Soccer’ and an all-women team
  • 5
    Gaming Valve’s Steam Frame Makes Its Case on Compatibility, Not Hardware

Company

  • About Martin Cid Magazine
  • Press Room
  • Team Members
  • Advertise with Martin Cid Magazine
  • Jobs
  • Contact Us

Ethics

  • Publishing Principles
  • Ethical Statement
  • Diversity policy
  • Corrections policy
  • Feedback Policy
  • Staff Diversity

Subscribe to our Newsletter

Get the latest updates in your inbox.

▶ Web Stories
  • Terms and Conditions
  • Legal Notice
  • Cookie Policy
  • Privacy Policy
  • Copyrights
© 2026 Martin Cid Magazine®. All rights reserved.