CBSE OSM Row: IIT Panel Flags Security Gaps, Says Evaluation Portal Was Not Thoroughly Tested Before Launch

The On-Screen Marking (OSM) portal used to evaluate Class 12 answer sheets was not subjected to a sufficiently rigorous security review before it was launched, according to a member of the IIT panel examining the CBSE post-result ecosystem. 

The expert committee, formed after concerns emerged over the OSM portal, is expected to submit its findings and recommendations to the Education Ministry in the coming days. Officials from IIT Madras and IIT Kanpur have been working alongside CBSE and the Digital India Corporation (DIC) to assess weaknesses in the board's digital evaluation infrastructure. 

ALSO READ: Punjab Announces Free Bus Travel For NEET Re-Exam Students, Attendants Also To Benefit

IIT Panel Identifies Security Weaknesses 

During the review, the panel found multiple vulnerabilities in the OSM system. Following these findings, experts helped create a new examiner-facing portal using the base code of the discontinued platform. The revised system is currently being used for answer-sheet verification and re-evaluation processes. 

According to the panel member, the original portal had undergone an audit before deployment, but the review was not comprehensive enough to detect all critical vulnerabilities. 

"It was not thoroughly tested. It is not like it (the portal) was not tested, there was an auditor hired by CBSE who tested it and gave its go ahead and everything. But a through analaysis was not done, that should have been done. The auditing was not suficient," the member told ANI on condition of anonymity. 

Findings Echo Concerns Raised by Ethical Hacker 

The IIT panel's observations align with issues earlier highlighted by 19-year-old ethical hacker Nisarga Adhikary. Several vulnerabilities identified independently by him were also detected during the committee's assessment. 

"The auditing was done, and some vulnerabilities were found, but several others were missed. Systems handling critical data require deeper and more rigorous security analysis," the panel member said. 

Among the concerns raised were vulnerabilities that allegedly enabled OTP bypass mechanisms, access through a hardcoded master password, and potential exposure of answer-sheet records. 

Call for Stronger Cybersecurity Measures 

The panel has recommended advanced testing methods, including vulnerability assessments, penetration testing, and Red Team-Blue Team exercises, for digital platforms handling sensitive educational data. 

"Cybersecurity operations involve offensive and defensive functions. There are Red Teams and Blue Teams that attempt to identify weaknesses and strengthen the system. All these mechanisms need to be employed to thoroughly examine a platform of this scale," the member said. 

The expert also emphasised that stronger security reviews should become mandatory for public-facing platforms. 

"Portals that are exposed to the external world need to be thoroughly tested for functionality, threats and security. We will be giving these recommendations more specifically in our report," the member said. 

No Evidence of Student Data Leak 

While acknowledging that serious vulnerabilities existed, the panel member clarified that investigators had not found evidence suggesting student records were leaked or misused. 

"I spoke to Nisarga. He was able to download some data but deleted it. We have not observed any evidence of records being leaked outside. It was an ethical hack," the member said. 

The expert further noted that the newly developed portal is only a temporary solution and that a more robust long-term system would eventually be required. 

ALSO READ: NEET's Digital Shift: Will It Benefit Students Or Create New Challenges?

On the possibility of CBSE managing such platforms entirely on its own, the member said the board would continue to require support from specialised technology organisations. 

"CBSE cannot do everything in-house and completely avoid involving third parties. It does not have that level of expertise. They need to engage with specialised organisations," the member said. 

Summing up the lessons from the controversy, the panel member stressed the importance of stronger data governance and comprehensive security reviews. 

"The first thing needed is that CBSE should have control over the data. There has to be a thorough security analysis, which was not done adequately in this case," the member said. 

Education Loan Information:
Calculate Education Loan EMI