I had hacked CBSE's OSM (On Screen Marking) Portal and didn't recieve any acknowledgement from CBSE despite reporting it through several routes
I'm a hobbyist cybersec researcher, just got done with 12th this year. Have done bug bounty and stuff before for fun - this year CBSE introduced OSM and the portal link was public, it sparked my curiosity.
I opened the portal and started playing with the HTTP requests & everything.
I started reading their JS bundle code and found something horrible.
My first e-mail to CERT-In (Computer Emergency Response Team of the Indian Government):
\> Hi, I'm a hobbyist cybersecurity researcher and I have found some severe security issues in the CBSE On Screen Marking Portal ([https://cbse.onmark.co.in/cbseevalweb](https://cbse.onmark.co.in/cbseevalweb)).
\> There's a hardcoded master password in the main frontend javascript file. A master password \[REDACTED\] is hardcoded directly in the client-side JavaScript bundle. This password automatically fills the OTP field and bypasses normal authentication flows.
\> There are other severe issues as well, OTP validation logic is implemented entirely on the client side. The server sends the OTP in the authentication response, and JavaScript validates it locally before granting access.
\> Anyone can bypass the login panel easily as well because the validation takes place client side.
I was basically able to login as any teacher and edit marks myself.
They asked me for more information and screen recordings in the reply of the email. I replied with more information:
\> Hello, I'm attaching a screen recording of the OTP/auth Bypass vulnerability through the found master password in the frontend source code.
\> First of all, you'll need to find someone's user ID and school code (which is publically obtainable). For the password, I used the master password which I got by inspecting the frontend minified source code ([https://cbse.onmark.co.in/cbseevalweb/main.dc17c24606b3b008.js](https://cbse.onmark.co.in/cbseevalweb/main.dc17c24606b3b008.js)). The master password automatically bypassed OTP authentication as soon as I entered the password.
\> You can see how I did it in the attached video/screen recording file (I have attached a screen recording with this e-mail).
\> For the second login bypass vulnerability, you'll need to open DevTools of your browser and paste this snippet:
localStorage.setItem**(**'jwtToken', 'dev-token-12345'**)**;
sessionStorage.setItem**(**'role\_id', '23'**)**;
sessionStorage.setItem**(**'ValType', 'Regular'**)**;
sessionStorage.setItem**(**'eval', JSON.stringify**(**{
**user\_id:** 'DEV001',
**role\_id:** '23',
**mobile\_no:** '9999999999',
**email:** 'dev@test.com',
**jwtToken:** 'dev-token-12345'
}**))**;
*// Then navigate*
window.**location**.**href** = '/cbseevalweb/#/dashboard';
\> It'll bypass the login page and will take you straight to dashboard.
\> I found some new other issues as well:
\> The entire Angular route config has zero canActivate guards. Every route /dashboard, /profile, /evalscriptsview, /heallscripts, /evaluatordetails, /verificationdashboard, etc. is navigable by anyone. An unauthenticated user can just type the URL directly and land on any page. The only "protection" is a default redirect to /login, which is trivially bypassed.
\> The ChangePassword API only sends { ValuatorID, pin\_NewPassword }. The oldpassword variable exists in the component but is never included in the API payload. Combined with the IDOR issues present in the site, this means any user can change any other user's password without knowing the current one - full account takeover chain.
(can change anyone's password and take over their accounts)
\> There might be a potential systemic IDOR Across 40+ API Calls. The ValuatorID / user\_id in every API call comes from sessionStorage\["eval"\], which is trivially editable in DevTools. This is systemic, practically every POST request in the website/service is IDOR-vulnerable.
\> Thank you, please get back to me as soon as possible. I'll be happy to answer further questions/provide more PoCs.
They replied with a boilerplate email:
\> Dear Sir,
\> Thank you for reporting this incident to CERT-In.
\> We have registered your complaint/incident under Ref: CERTIn-XXXXX .
\> We are in process of taking appropriate action with the concerned authority.
After that, I've tried following up several times and sent mails - no reply from their end. It's funny that they could never patch most of the vulnerabilities I reported. I probably would've patched these vulnerabilities in an hour or two max if I was in their place. The incompetency of our authorities baffles me.
Thank you for reading!
Attached screenshots of some mails for proof.
tldr: i had hacked cbse osm portal and could edit anyone's marks, reset any examiner's password and change any of their details and so on.
edit (8:08pm):
tweeted about it and published a detailed blog on it: https://ni5arga.com/blog/posts/hacking-cbse/
edit (11:40pm):
tweet got taken down and my account got locked, in touch with twitter's support team.