‘Password was 123456’: Student alleges fresh security lapses in CBSE linked systems

The controversy surrounding CBSE’s On-Screen Marking (OSM) system took another turn on Sunday after Sarthak Sidhant, a 17-year-old Class 12 student who recently questioned the board’s tender process, alleged that security flaws across OnMark-linked portals could put millions of students at risk.

Sharing a new blog post on X, Sarthak wrote: “Almost every single OnMark portal built by EduTek is fundamentally insecure, and CBSE is lying to you about the safety of student data. We found default passwords, URL-based RCEs, and raw MD5 hashes. Millions of students are at risk.”

Must Read: CBSE OSM row: How did a software vendor with an abysmal track record get to decide the future of 98 lakh students?

The latest allegations come just two days after Sarthak’s analysis of CBSE tender documents shifted attention from complaints about blurred answer sheets and evaluation errors to questions about how the OSM contract was awarded.

In his latest post, Sarthak claimed that his review of CBSE-linked infrastructure uncovered multiple security weaknesses, including the use of MD5 password hashes on the SARAS portal, CBSE’s School Affiliation Re-Engineered Automation System.

Don’t Miss: ‘Insanely insecure’: Ethical hacker alleges CBSE answer sheets, question papers were publicly accessible

According to him, the system stored administrator passwords as raw MD5 hashes, an encryption method widely regarded as obsolete and vulnerable to brute-force attacks.

“Fortunately, after discovering this, I immediately emailed them to responsibly disclose the vulnerability,” he wrote, adding that the issue was subsequently fixed. He noted that SARAS was built by a different vendor and not by EduTek or OnMark.

Sarthak said the more serious concerns emerged when attention shifted to portals built by EduTek, the company linked to the OSM system.

He alleged that one administrative portal could be accessed using the password “123456.”

“He sent me the credentials, and I honestly couldn’t believe my eyes,” Sarthak wrote while describing information allegedly shared by 19-year-old ethical hacker Nisarga Adhikary. “I navigated to the administrative login portal, entered the username he provided, and then typed in the password he had sent me: 123456.”

“To my absolute disbelief, it worked perfectly. I was immediately logged in.”

Sarthak claimed the account provided administrative-level access and argued that weak security practices appeared across multiple OnMark-linked domains. 

“As we kept digging, we realized this wasn’t just an isolated mistake on a single portal,” he wrote. “This catastrophic lack of security was a pattern baked into almost every single OnMark website.”

The allegations have surfaced days after Adhikary claimed to have uncovered vulnerabilities in CBSE-linked systems and alleged that examination-related files stored on a cloud server were publicly accessible online.

CBSE, however, has rejected claims that its actual evaluation platform was compromised.

Responding earlier this week, the board said a URL cited in social media posts was only a testing site containing sample data and not the portal used for evaluating answer books.

“The Portal used for evaluation of answer-books bore a different URL, which has neither been compromised nor does it have the vulnerabilities indicated in the said social media post,” CBSE said.

“The URL: http://cbse.onmarks.co.in is the testing site only with sample data for internal testing and review purposes. There are no actual evaluation data, marks or other data held on that portal.”

The board added that “no security breaches have come to light on the Portal deployed for the actual evaluation work.”

In his earlier blog, Sarthak alleged that CBSE modified eligibility and security requirements across successive bidding rounds, changes that he argued may have helped Hyderabad-based Coempt Eduteck secure the contract.

Sarthak also claimed that Coempt Eduteck was previously known as Globarena Technologies, a company linked to the Telangana Intermediate Examination controversy in 2019.