Found CBSE portal vulnerabilities in 20 minutes, not afraid of FIR: Teen ethical hacker Nisarga Adhikary (IANS Interview)
New Delhi, June 6
Nineteen-year-old ethical hacker Nisarga Adhikary on Saturday spoke exclusively toand alleged flaws in the CBSE portal, saying that it took him just 20 minutes to identify vulnerabilities.
This comes as fresh questions have emerged over the security of CBSE's digital infrastructure after Adhikary alleged that answer sheets and question papers stored on an AWS bucket were publicly accessible online.
The claim comes amid ongoing scrutiny of CBSE's On-Screen Marking (OSM) system and days after Adhikary's disclosures about vulnerabilities in CBSE-linked digital platforms triggered a nationwide debate over the Board's technology ecosystem.
Nisarga Adhikary also IANS spoke on various aspects of hacking, shortcomings in the CBSE portal, how he breached the security protocol, and several other issues.
Here is the full interview:
IANS: You are an ethical hacker. How did you come to know about the anomalies in the CBSE portal?
Nisarga Adhikary: So, I have an extensive background in security research and all. When CBSE launched its portal and issued its circulars and everything, I started digging deeper. I found the portal link, and it was open to the public.
After I found the portal link, I started examining what information I had about the portal and used it for reconnaissance. I found the front-end code for the site in JavaScript, but it was around 9,000 lines of code. So, I used some AI-assisted tools to go through it and found that it contained a master code password.
With that master password, you could access any evaluator's account as long as you had the user ID. I managed to obtain some evaluators' user IDs through Google searches and other sources. After that, I was able to log into those accounts.
I saw that I was able to access evaluator papers and generate grades. During that time, I also found 45 other vulnerabilities and reported them to CBSE, but they did not respond. The master password issue was one thing, but the other 44 vulnerabilities I reported were also still there.
I waited for three months until the results were declared and then went public with the information. After going public, I discovered additional vulnerabilities that gave me access to nearly 30 million scanned answer sheets, databases, and more. So, yeah, that's it, I guess.
IANS: Were you able to breach the security protocol of the CBSE server to establish its vulnerability?
Nisarga Adhikary: I was able to breach the security protocol. They did not have a proper security protocol. It was not properly audited and all.
IANS: How did you breach the security protocol? How did you know that it was vulnerable to a cyberattack?
Nisarga Adhikary: It was pretty easy to identify the vulnerabilities. You could tell that there was not much experience involved in this field. I found the issues very quickly. It took me around 20 minutes.
Then I started testing and exploiting them in a good way, in an ethical manner, and reported everything.
IANS: CBSE has filed an FIR over attacks on its portal.
Nisarga Adhikary: Yeah, that's different. They experienced a DDoS attack on their PBR portal. None of us, those who researched this issue with me carried out any DDoS attack because it's a pretty pointless thing to do and it doesn't work very well.
IANS: Are you worried about the FIR?
Nisarga Adhikary: No, I'm not. I'm in touch with some people connected with CBSE and some people from the cyber community. I'm not afraid at all.
IANS: What are your suggestions to CBSE, and what can it further improve?
Nisarga Adhikary: I think they should start taking security reports more seriously because this is not a one-off case with CERT or CBSE. They do not take security reports seriously and do not treat security with the importance it deserves.
In the agreement they had published publicly, it was mentioned that COEM needed to conduct audits and VAPT testing before taking the site into production. I'm pretty sure that didn't happen. The site was taken into production without proper audits and security checks.
I hope those security checks are taken more seriously in the future. I also hope they seek more advice from experts and strengthen their overall cybersecurity practices.
— IANS
Reader Comments
The fact that there was a master password hardcoded in the front-end JavaScript is laughable. 🤦♀️ Any first-year CS student would know better. And CBSE filing a DDoS FIR when this kid clearly reported vulnerabilities ethically is just deflection. Instead of wasting police time, they should be thanking him and fixing their mess before the next hacker with malicious intent finds these holes.
Honestly, I'm tired of these "ethical hackers" who think they're heroes for breaking into systems. 🤨 Yes, CBSE should have better security, but he didn't follow proper disclosure protocols. You report privately, give them time, don't go public with all the details. Now he's putting every student's data at risk by showing exactly how to exploit it. There's a reason bug bounty programs exist.
I'm a parent of two CBSE students and this is terrifying. 😰 My children's answer sheets, personal data, grades - all sitting on a public AWS bucket? And CBSE's response is to threaten a 19-year-old with an FIR? They should be reforming their entire IT department. This boy did what their paid security consultants couldn't - in 20 minutes! He deserves a reward, not a lawsuit.
As someone who works in cybersecurity in the US, this is a textbook example of what NOT to do. Front-end JS with hardcoded passwords? Master credentials in source code? 9,000 lines of unminified JavaScript? These are basic security 101 failures. The fact that CBSE outsourced this to COEM and they supposedly did VAPT testing is either incompetence or outright fraud. Someone needs to be held accountable here. 🔍
V We welcome thoughtful discussions from our readers. Please keep comments respectful and on-topic.