Tirth Parmar, a 22-year-old BTech student and ethical hacker, has made alarming claims regarding the vulnerabilities present in the Central Board of Secondary Education’s On-Screen Marking (OSM) portal. He stated that he was surprised to discover numerous security flaws that left sensitive student information accessible to anyone with the right knowledge.

Parmar alleges that the lack of a proper security audit by the CBSE allowed these critical bugs to go unchecked. “It was quite surprising because I was not expecting this many critical bugs,” he remarked, noting the ease with which he could access the system. He mentioned two primary methods to exploit these vulnerabilities: one involved downloading publicly available files containing database passwords, and the other required exploiting a series of bugs he identified and reported.

The ethical hacker pointed out that a hard-coded master password was among the less secure elements in the system. Although he believes this flaw has since been rectified, Parmar emphasised that other significant vulnerabilities like SQL injection remain unaddressed, allowing him to retrieve sensitive data without any authentication.

Continuous Attempts to Inform CBSE

Parmar has reportedly attempted to communicate these concerns to the CBSE on multiple occasions but has not yet received a response. “I have reported, I think multiple times, but I haven’t received any response from them yet,” he stated, indicating his frustration with the lack of communication from the organisation.

He further elaborated on the necessity for the CBSE to address these issues, suggesting that they should initiate a bug bounty program or a vulnerability disclosure programme. Such initiatives could facilitate the identification and rectification of security lapses by encouraging the contributions of ethical hackers.

Parmar expressed his apprehension regarding the potential for exploitation of these vulnerabilities by unethical hackers. He warned that any individual with malicious intent could easily gain access to the CBSE database, leading to scenarios where sensitive records could be edited or downloaded. He cited a concerning figure of approximately 9.3 million student records that are reportedly at risk due to these security shortcomings.

Call for Immediate Remedial Action

In light of these findings, Parmar has squarely urged the CBSE to prioritise the rectification of the vulnerabilities he reported. “I will ask them to fix the issue which we have reported first, and then do a security audit by themselves or ask other ethical hackers or any contributors as well,” he asserted, emphasising the importance of immediate action to secure the portal.

The CBSE is currently under scrutiny due to various incidents related to technical failures, including issues within its post-result portal and discrepancies noted in the evaluation of answer sheets. This increase in public attention amplifies the urgency for the board to take decisive measures towards improving its security infrastructure.

As institutions increasingly rely on digital systems for critical functions, the need for robust security measures becomes paramount. The developments highlighted by Parmar serve as a reminder of the vulnerabilities that permeate even well-established platforms and the critical importance of regular and thorough security audits.

Long or Short, get news the way you like. No ads. No redirections. Download Newspin and Stay Alert, The CSR Journal Mobile app, for fast, crisp, clean updates!

App Store –  https://apps.apple.com/in/app/newspin/id6746449540 

Google Play Store – https://play.google.com/store/apps/details?id=com.inventifweb.newspin&pcampaignid=web_share