New Delhi: Nisarga Adhikary, the 19-year-old ethical hacker who exposed vulnerabilities in the Central Board of Secondary Education (CBSE)’s On-Screen Marking (OSM) system, has been hired by IIT Kanpur as the Open-Source Intelligence (OSINT) and threat intelligence engineer at the university’s cybersecurity and cyber defence innovation hub C3iHub.
Adhikary is a self-taught software engineer and cybersecurity researcher from Siliguri, West Bengal, who has no formal college degree yet. He describes himself as a full-stack developer, CTF (Capture The Flag) player, and open-source enthusiast with experience at startups and various projects to his name. His personal website says he is passionate about cybersecurity and digital rights.
He identified serious flaws in CBSE’s OSM system, which handles on-screen evaluation of answer sheets for millions of students. He reported issues such as a hardcoded master password in plain text, client-side OTP validation bypasses, and risks of impersonation that could potentially allow tampering with sensitive student data for approximately 1.8 million examinees.
“It took me less than an hour to find all the vulnerabilities inside the system. Anyone can impersonate any examiner to their choice. The access control is totally broken,” Adhikary, a Class 12 student, said. “I could change the marks. There is no OTP security, anyone can change the password”.
After an initial complaint in February went unheeded, he published a detailed technical blog post on 22 May outlining these vulnerabilities.
CBSE initially faced criticism but later collaborated with cybersecurity experts from IIT Madras and IIT Kanpur. Teams led by senior faculty, including Manindra Agrawal, the Director at IIT Kanpur, worked intensively for nearly two weeks starting May 24 to patch the gaps. Adhikary was invited to Delhi for discussions with the IIT expert team to share his insights.
Impressed by Adhikary’s skills, Agrawal reached out directly after reading the blog post. The institute moved quickly to bring him on board full-time at C3iHub.
Also Read: How a 19-year-old student hacked CBSE’s OSM portal, exposed vulnerabilities
It was pure curiosity that drew him to “play around” with the portal and he claims it was very easy for him to do.
“It was one of the easiest hacks of my life. You don’t even need to know programming, you just need to know control point F and need to know the logic. That was the master vulnerability,” Adhikary had said.
As per reports, his role at IIT Kanpur will focus on OSINT and threat intelligence, with potential expansion into vulnerability assessment and penetration testing.
(Edited by Stela Dey)