After CBSE, experts find cracks in Maharashtra technical board's online marks system

A viral post by a 19-year-old Class 12 student alleging security flaws in the Central Board of Secondary Education’s (CBSE) On-Screen Marking (OSM) portal recently sparked a wider debate around the security of India’s digital exam infrastructure. The student claimed vulnerabilities in the system could expose sensitive evaluation-related data, prompting the CBSE to issue a clarification stating that the portal in question was a “testing site only with sample data”, not its live evaluation system. Even after the clarification, the student continued to stand by the findings, keeping the issue alive online.

But the concerns may not end with CBSE. Similar vulnerabilities were found on OnMark, the Maharashtra State Board of Technical Education (MSBTE) On-Screen Marking platform, by independent security researcher Karan Saini, who said he found a “master password” embedded in publicly accessible JavaScript files linked to the student login portal. In the CBSE case, too, the exposed credential was allegedly found on OnMark’s evaluator-facing portal.

According to Saini, the MSBTE credential has remained publicly accessible for months. He said this showed that “the developers got lazy and used this cheap trick more than once.”

As MSBTE conducts examinations for diploma, post-diploma, advanced diploma, engineering, pharmacy, and government-approved short-term technical programmes, any security gaps in its digital infrastructure could impact a large number of students appearing for these examinations across affiliated institutions.

Amid the claims and counterclaims, India Today sought to report only what could be independently verified. With the help of another Bengaluru-based software developer, we examined the JS bundle — the file that carries the website’s front-end code to a user’s browser — and found several apparent vulnerabilities in MSBTE’s evaluation portal. Among them was a hardcoded admin-bypass credential, or “master password”, left exposed in the client-side files.

In simple terms, a “master password” works like a universal key. Instead of opening just one user account, it can give access to many parts of a system, access that is normally limited to administrators or authorised staff. A “hardcoded credential” means such a password has been directly written into a website’s code instead of being securely hidden on the server. Since that code is publicly accessible, someone with basic technical knowledge may be able to see and potentially misuse it.

Interestingly, the exposed password included the term “Coempt”, an apparent reference to Coempt Eduteck Private Limited, the software company that manages the website. A practice that induces risk and is often considered avoidable. The same was used to log in, bypassing the two-factor verification.

In a recent update, CBSE rejected allegations over the award of the contract to Coempt Edutech. The board said it had “scrupulously” followed General Financial Rules while awarding the contract to the qualified bidder.

India Today’s OSINT (Open-Source Intelligence) team found that the password left exposed in the website’s code could open the door to a live system containing student records. The exposed password, when paired with publicly available enrolment numbers, allowed student accounts to be accessed, showing that the lapse was not merely theoretical.

What is even more concerning is that when the fetched student dataset was inspected through the browser, it showed an “override” option, raising questions about whether student data, including marks, could potentially be altered.

Neither the experts nor India Today’s reporters attempted to alter any records during the exercise. Still, the vulnerability raises serious questions about the integrity of digital evaluation systems provided by Coempt Edu Teck, a Hyderabad-based examination solutions company.

A master key sitting openly inside the website’s JavaScript is, by itself, a serious security lapse. The key was not just exposed, but also valid and capable of opening access to the portal.

Anyone with the leaked credentials could have entered the portal without authorisation, and depending on the level of access, may have been able to interfere with critical data. Saini told India Today that the risk was similar to what was reported in the CBSE OnMark case, calling it “a grave data leak and exam integrity issue.”

While the CBSE evaluation portal referenced in the viral claims is currently not publicly accessible, archived snapshots of the website from March 3, this year, suggest the exposed credential issue may have been addressed. A review of the archived JavaScript bundles indicates that the previously reported hardcoded credential, the “master password”, no longer appears to be present, pointing to a possible remediation or patch.

However, the episode raises broader questions over how securely digital evaluation systems used by education boards are being developed and maintained, especially as more examinations shift to online and on-screen platforms.