The CBSE Is Under Fire Thanks to the Efforts of Teenagers |
New Delhi: Earlier on June 1, a fire broke out at a government building. Several news outlets and a prominent news agency reported that it broke out in an office of the Ministry of Education. Later, the ministry clarified that it was at the School of Planning and Architecture, and not the education ministry’s offices, that the fire broke out. But by then, several opposition politicians and commentators on social media had already wondered aloud whether key documents connected to the crisis in the online marking system of the Central Board of Secondary Education are likely to be burnt in the fire.
Yet others noted how the future of lakhs of children has already gone up in flames.
In the last few days, the CBSE’s struggles against criticism of its online marking system have been amplified by the fact that it is the work of teenagers that has shed light on it.
Nineteen-year-old ethical hacker Nisarga Adhikary, who wrote the CBSE Class 12 exam this year, claimed on May 22 that he was able to access crucial servers of the boar’s On-Screen Marking system portal. In multiple interviews, Adhikary has noted that he had alerted CERT-In of these vulnerabilities in February itself but many of them – if not all but one, he says in his interview to Newslaundry – remained unattended to, despite the nodal government agency charge of cybersecurity incidents acknowledging his email.
In his widely shared blogpost, titled ‘Exposing Critical Vulnerabilities in CBSE’s On-Screen Marking Portal: From Authentication Bypass to Full Account Takeover’, Adhikary notes that to log in as a specific examiner, all that an attacker needs is a target’s user ID and school code, both of which are publicly obtainable, and the master password, sitting in a JavaScript file which anyone can download. But this is not the only vulnerability, Adhikari noted.
“Every one of these vulnerabilities traces back to the same root mistake: putting secrets and security decisions in code that runs on the user’s machine,” he wrote.
On May 31, again,........