Nisarga Adhikary hacks CBSE portal again, plays viral Bad Apple song
Nisarga Adhikary, a 19-year-old ethical hacker, has sparked fresh controversy around CBSE's digital systems after claiming he managed to play the viral Bad Apple animation meme on a CBSE portal, while demonstrating what he described as serious security vulnerabilities.
A viral Bad Apple animation meme has become the latest flashpoint in the controversy surrounding CBSE’s digital systems after a 19-year-old student and ethical hacker claimed he managed to play the song on a CBSE portal, while demonstrating what he described as serious security flaws.
“We managed to play the iconic Bad Apple video on CBSE's prod site,” Nisarga Adhikary posted on X, claiming he had gained extensive access to servers connected to the board’s On-Screen Marking (OSM) system.
The Bad Apple meme is an iconic internet challenge where the black-and-white shadow-art music video of the song Bad Apple is recreated, coded or ported onto virtually any visual medium. Since it is purely monochrome, Internet users love recreating it on oscilloscopes, in Minecraft and on retro consoles.
Nisarga, a Class 12 student, who previously said he reported multiple vulnerabilities to authorities, alleged that he was able to obtain full create, read, update and delete (CRUD) access as well as shell access to production servers.
“We were able to get full create, read, update and delete (CRUD) access and shell access to CBSE's prod servers. This is disastrous,” he wrote.
Adhikary shared a screen recording showing the popular "Bad Apple" silhouette animation running on a CBSE-linked dashboard page. The clip also displayed the message: “PWNED via SQLi by web hackers :3”, referring to an alleged SQL injection vulnerability.
According to the student, the demonstration was intended to highlight weaknesses in systems connected to digital answer-sheet evaluation and examination management.
The claims surfaced amid continuing scrutiny of CBSE’s post-result processes, answer-sheet verification mechanisms and re-evaluation systems used by millions of students.
In an earlier interview with India Today TV, Adhikary said he had identified more than 40 vulnerabilities and reported them through official channels months ago. “I documented multiple vulnerabilities,” he said.
According to him, the issues included authentication weaknesses and access controls that could potentially allow unauthorised users to access examiner-level functions. “The first vulnerability took around 30 minutes. Overall, maybe two or three hours,” he claimed.
The student said he informed government cybersecurity channels, including CERT-In, but received only an acknowledgement. “No reply from CBSE or the vendor, only an acknowledgement,” he alleged.
CBSE REACTS
CBSE has strongly disputed the allegations and said claims of a compromise of its On-Screen Marking (OSM) portal are misleading. According to the board, the URL cited in social media posts referred only to a testing environment containing sample data used for internal review purposes.
The board said the actual portal used for evaluation of answer books was different and had not been compromised. It has postponed the opening of its post-result verification and re-evaluation portal to June 1.
CBSE further said no security breach had been detected in its live evaluation system and maintained that strong safeguards and grievance-redressal mechanisms remain in place to ensure the integrity of examinations and assessments.
The controversy came at a sensitive time, with CBSE and other examination bodies facing increasing scrutiny over digital systems, answer-sheet access and concerns raised by students regarding examination transparency.