Nisarga Adhikary doesn’t fit the cliché of a shadowy hacker. For one, he’s just 19 and has just given his board exams. A regular private school student with parents who are government officials, he began coding in the 7th grade. Curious about repeated student complaints around missing answer sheets and altered marks, Nisarga started examining Central Board of Secondary Education's (CBSE)newly launched On-Screen Marking (OSM) portal as a way to pass the time.Karnataka SSLC results: More than 9 lakh students registered for the SSLC examination across Karnataka, of whom 8 lakh appeared. (AI image for representation)“I wanted to understand why it was in the news so much, so I started playing around with the website. The problems only showed up once I stopped looking at the page and started looking at the code behind it,” said the teen, who is now fielding offers from AI startups, after his tweet went viral.What he allegedly found raised serious cybersecurity concerns. According to Nisarga, the “master password” for the website, used by evaluators, was openly stored in the site’s JavaScript code, OTP verification could be easily bypassed, and several internal dashboards lacked proper protection. He also claimed the password reset feature did not require verification of the old password, potentially allowing unauthorised access. Describing himself as an ethical hacker, he confirmed that “this was done in good faith, and I make no profit from it.”Nisarga further says he reported the issues to CBSE as well as CERT-in and gave them three months to fix the flaws. “What shocks me is that this could have been solved by an engineer like myself in merely 2–3 hours. I don’t know why they chose to ignore this,” he said. The issue gained attention recently after his findings went viral on X.CBSE later released a statement saying the website mentioned in the viral claims was only a testing portal used for internal trials and did not contain any real student marks or evaluation data. The board added that the actual portal used to check answer sheets had a different URL and, according to them, was neither hacked nor affected by the security flaws mentioned online.Nisarga, however, has disputed the claim and posted video and photographic evidence on X. “They posted a link in the tweet to a website which did not exist. I bought it, and now it goes to my own blog,” he said, adding with a laugh, “Yeah, this is just a hobby.”
This teen hacked into CBSE’s OSM portal while preparing for boards, says ‘This is just a hobby…’
What began as curiosity during board exam season has now turned a 19-year-old student from Siliguri into the centre of a viral cybersecurity controversy
408 words~2 min read
