OSM portal was not 'thoroughly' tested for functionality and security threats before deployment: IIT panel member
New Delhi: The On-Screen Marking (OSM) portal, used for evaluating the Class XII answer sheets of lakhs of students, was not "thoroughly" tested and did not undergo a "sufficient" assessment of its functionality, security vulnerabilities, and potential threats before deployment, a member of the IIT panel auditing the CBSE post-result ecosystem told ANI.
The IIT panel, constituted following the controversy surrounding the OSM portal, is expected to submit its report to the Education Ministry on its findings and recommendations in the coming days.
Officials from IIT Madras and IIT Kanpur worked closely with the CBSE and other agencies like Digital India Corporation (DIC) to find out vulnerabilities in the CBSE post-exam ecosystem.
After identifying multiple vulnerabilities in the OSM portal, the IIT panel assisted in the development of a new examiner-facing portal using the base code of the now-discontinued system. The new portal is currently being used for the verification and re-evaluation of answer sheets.
One of the key observations of the panel was that the original portal had undergone an audit, but the process was not comprehensive enough, and several critical vulnerabilities remained undetected.
"It was not thoroughly tested. It is not like it (the portal) was not tested, there was an auditor hired by CBSE who tested it and gave its go ahead and everything. But a through analaysis was not done, that should have been done. The auditing was not suficient," the member of the IIT panel told on the condition of anonymity.
The portal was created and managed by a private IT service provider named Coempt Eduteck, which is at the centre of the Class XII result controversy.
The IIT panel member referred to the findings of 19-year-old ethical hacker Nisarga Adhikary from West Bengal, who independently identified several vulnerabilities that were also observed during the IIT panel's assessment.
"The auditing was done, and some vulnerabilities were found, but several others were missed. Systems handling critical data require deeper and more rigorous security analysis," the panel member said.
Nisarga had highlighted severe flaws in the portal, including vulnerabilities that allowed OTP bypass, access to examiner accounts through a hardcoded master password, and potential access to millions of students' answer sheets.
Explaining the kind of security assessment required for such sensitive platforms, the IIT panel member said that advanced security practices, including vulnerability assessment, penetration testing, and Red Team-Blue Team exercises, should be carried out to stress-test the system's defences.
"Cybersecurity operations involve offensive and defensive functions. There are Red Teams and Blue Teams that attempt to identify weaknesses and strengthen the system. All these mechanisms need to be employed to thoroughly examine a platform of this scale," the member said
The recommendation for deeper and multi-layered security audits of sensitive digital platforms will be part of the IIT panel's report to the ministry
"Portals that are exposed to the external world need to be thoroughly tested for functionality, threats and security. We will be giving these recommendations more specifically in our report," the panel member said.
The member also clarified that while the ethical hacking incident exposed serious vulnerabilities, there was no evidence to suggest that student records had been leaked or misused
"I spoke to Nisarga. He was able to download some data, but deleted it. We have not observed any evidence of records being leaked outside. It was an ethical hack," the member said.
When asked whether the newly developed portal could be used for the next examination cycle, the IIT panel member described it as "a kind of patchwork" and indicated that a more robust and long-term solution would be required.
On the lessons for the future and whether CBSE can conduct the entire digital evaluation process in-house without involving private vendors, the member said that the Board currently does not have the required technical expertise to independently build and manage such large-scale systems and would need to engage external agencies.
"CBSE cannot do everything in-house and completely avoid involving third parties. It does not have that level of expertise. They need to engage with specialised organisations," the member said.
The panel member stressed that the most important lesson from the OSM controversy was that CBSE must retain greater control over its data and ensure that any platform handling sensitive examination records undergoes a comprehensive security assessment before deployment
"The first thing needed is that CBSE should have control over the data. There has to be a thorough security analysis, which was not done adequately in this case," the member said.
The IIT panel, constituted following the controversy surrounding the OSM portal, is expected to submit its report to the Education Ministry on its findings and recommendations in the coming days.
Officials from IIT Madras and IIT Kanpur worked closely with the CBSE and other agencies like Digital India Corporation (DIC) to find out vulnerabilities in the CBSE post-exam ecosystem.
After identifying multiple vulnerabilities in the OSM portal, the IIT panel assisted in the development of a new examiner-facing portal using the base code of the now-discontinued system. The new portal is currently being used for the verification and re-evaluation of answer sheets.
One of the key observations of the panel was that the original portal had undergone an audit, but the process was not comprehensive enough, and several critical vulnerabilities remained undetected.
"It was not thoroughly tested. It is not like it (the portal) was not tested, there was an auditor hired by CBSE who tested it and gave its go ahead and everything. But a through analaysis was not done, that should have been done. The auditing was not suficient," the member of the IIT panel told on the condition of anonymity.
The portal was created and managed by a private IT service provider named Coempt Eduteck, which is at the centre of the Class XII result controversy.
The IIT panel member referred to the findings of 19-year-old ethical hacker Nisarga Adhikary from West Bengal, who independently identified several vulnerabilities that were also observed during the IIT panel's assessment.
"The auditing was done, and some vulnerabilities were found, but several others were missed. Systems handling critical data require deeper and more rigorous security analysis," the panel member said.
Nisarga had highlighted severe flaws in the portal, including vulnerabilities that allowed OTP bypass, access to examiner accounts through a hardcoded master password, and potential access to millions of students' answer sheets.
Explaining the kind of security assessment required for such sensitive platforms, the IIT panel member said that advanced security practices, including vulnerability assessment, penetration testing, and Red Team-Blue Team exercises, should be carried out to stress-test the system's defences.
"Cybersecurity operations involve offensive and defensive functions. There are Red Teams and Blue Teams that attempt to identify weaknesses and strengthen the system. All these mechanisms need to be employed to thoroughly examine a platform of this scale," the member said
The recommendation for deeper and multi-layered security audits of sensitive digital platforms will be part of the IIT panel's report to the ministry
"Portals that are exposed to the external world need to be thoroughly tested for functionality, threats and security. We will be giving these recommendations more specifically in our report," the panel member said.
The member also clarified that while the ethical hacking incident exposed serious vulnerabilities, there was no evidence to suggest that student records had been leaked or misused
"I spoke to Nisarga. He was able to download some data, but deleted it. We have not observed any evidence of records being leaked outside. It was an ethical hack," the member said.
When asked whether the newly developed portal could be used for the next examination cycle, the IIT panel member described it as "a kind of patchwork" and indicated that a more robust and long-term solution would be required.
On the lessons for the future and whether CBSE can conduct the entire digital evaluation process in-house without involving private vendors, the member said that the Board currently does not have the required technical expertise to independently build and manage such large-scale systems and would need to engage external agencies.
"CBSE cannot do everything in-house and completely avoid involving third parties. It does not have that level of expertise. They need to engage with specialised organisations," the member said.
The panel member stressed that the most important lesson from the OSM controversy was that CBSE must retain greater control over its data and ensure that any platform handling sensitive examination records undergoes a comprehensive security assessment before deployment
"The first thing needed is that CBSE should have control over the data. There has to be a thorough security analysis, which was not done adequately in this case," the member said.
Next Story