Analysis of Alleged Cybersecurity Vulnerabilities within the CBSE On-Screen Marking Infrastructure

關於 CBSE 螢幕評分基礎設施涉嫌存在網絡安全漏洞之分析


Introduction

A nineteen-year-old independent researcher, Nisarga Adhikary, has asserted the discovery of critical security deficits within the Central Board of Secondary Education's (CBSE) On-Screen Marking (OSM) portal.

一名 19 歲的獨立研究員 Nisarga Adhikary 聲稱,他在中央中等教育委員會 (CBSE) 的螢幕評分 (OSM) 門戶網站中發現了嚴重的安全缺陷。

Main Body

The technical allegations center upon the identification of a hard-coded master password embedded within a publicly accessible JavaScript bundle. Adhikary posits that the utilization of this credential, in conjunction with a target user ID and school code, facilitates unauthorized access to examiner accounts, thereby permitting the modification of academic marks. Furthermore, the researcher alleges a systemic failure in the One-Time Password (OTP) mechanism, asserting that the server transmits the OTP within the authentication response, allowing for client-side bypass of the verification process.

技術指控集中在於一個公開可存取的 JavaScript 包中發現了硬編碼的主密碼。Adhikary 認為,利用此憑據搭配目標使用者 ID 和學校代碼,即可實現對考官帳戶的未經授權存取,進而允許修改學術成績。此外,該研究員指控一次性密碼 (OTP) 機制存在系統性失效,聲稱伺服器在驗證回應中傳送了 OTP,使得客戶端能夠繞過驗證程序。

Additional claims involve the absence of robust route security within the Angular-based application. Adhikary contends that internal directories, including the verification dashboard and profile sections, are accessible via the manipulation of browser storage. He further alleges that the password reset functionality lacks a requirement for prior credential verification, potentially enabling account takeover through Insecure Direct Object Reference (IDOR) vulnerabilities.

其他指控涉及該基於 Angular 的應用程式缺乏強健的路徑安全保護。Adhikary 主張,透過操縱瀏覽器儲存空間,即可存取包括驗證控制台和個人資料分頁在內的內部目錄。他進一步指控密碼重設功能缺乏事前憑據驗證的要求,可能導致透過不安全直接對象引用 (IDOR) 漏洞而被接管帳戶。

Regarding the institutional response, the CBSE has issued a denial of a systemic breach. The administration characterized the compromised site as a testing environment utilized for internal trials, maintaining that the operational portal employs a distinct URL and remains secure. Conversely, Adhikary has disputed this characterization, providing digital evidence and claiming that the URL cited by the board in its rebuttal was non-existent at the time of his report.

關於機構回應,CBSE 已否認發生系統性洩漏。行政部門將受影響的網站描述為用於內部試驗的測試環境,並堅持正式運作的門戶網站使用不同的 URL 且保持安全。相反地,Adhikary 對此說法提出異議,並提供數位證據聲稱委員會在反駁中引用的 URL 在其報告當時並不存在。

Conclusion

The situation remains a conflict of assertions between an independent researcher and the CBSE regarding the operational status and security of the OSM portal.

目前的狀況仍是獨立研究員與 CBSE 之間針對 OSM 門戶網站的運作狀態與安全性的說法衝突。

Vocabulary Learning

The Architecture of Hedging and Attributive Verbs

To bridge the gap from B2 to C2, one must move beyond simple reporting verbs like say or believe and master the nuance of evidentiary distance. In high-level academic and legalistic English, the writer rarely presents a claim as an absolute fact when it is contested. Instead, they employ a sophisticated layer of 'hedging' through precise attributive verbs.

◈ The Spectrum of Assertion

In this text, notice how the author navigates a volatile situation (an accusation of hacking) without adopting a biased stance. This is achieved by selecting verbs that categorize the nature of the claim:

  • Asserted / Posits: These indicate a strong, confident claim based on a theoretical or technical premise. Posits specifically suggests the proposal of a hypothesis as a basis for argument.
  • Alleges / Claims: These are the hallmarks of C2 forensic reporting. They signal that the information is an accusation that has not yet been legally or formally proven. To use allege is to strategically distance the writer from the truth-value of the statement.
  • Contends: This suggests a point of contention or a debate, implying that there is a counter-argument (which, in this text, is provided by the CBSE).
  • Characterized: Used here to describe how the CBSE framed the situation. It doesn't just mean 'said'; it implies the intentional shaping of a narrative.

◈ Syntactic Sophistication: Nominalization and Passive Distance

Observe the phrase: "The technical allegations center upon the identification of..."

Instead of saying "He alleges that he identified..." (B2 level), the author uses Nominalization (turning verbs into nouns: allegations, identification). This shifts the focus from the person to the phenomenon, creating an objective, clinical tone essential for C2 proficiency in professional contexts.

◈ Lexical Precision for Technical Friction

Note the use of Conversely and Rebuttal. While a B2 student might use however or answer, the C2 writer uses conversely to signal a direct structural inversion of the previous argument, and rebuttal to specify a formal contradiction of evidence.

Vocabulary Learning

credential
A piece of information used to verify identity or authorization.
Example:The system requires a credential before granting access.
unauthorized
Not permitted or approved; lacking official permission.
Example:Unauthorized users were blocked from the network.
modification
The act of changing or altering something.
Example:The modification of the database schema caused downtime.
systemic
Relating to or affecting an entire system.
Example:Systemic flaws in the protocol were discovered.
failure
The lack of success or inability to perform a task.
Example:The failure of the backup system led to data loss.
authentication
The process of verifying identity or credentials.
Example:Authentication is required before login.
client-side
Executed on the user's device rather than on the server.
Example:Client-side validation reduces server load.
manipulation
The action of controlling or influencing something.
Example:The manipulation of cookies compromised security.
verification
The act of confirming validity or truth.
Example:Verification of the OTP ensures security.
takeover
The act of assuming control over an account or system.
Example:Account takeover was prevented by two-factor authentication.
denial
A statement that something is not true or does not exist.
Example:The denial of responsibility was issued by the company.
characterization
A description or portrayal of something.
Example:The characterization of the threat was misleading.
rebuttal
A refutation or counterargument to a claim.
Example:Her rebuttal clarified the misunderstanding.
nonexistent
Not existing or present; lacking reality.
Example:The nonexistent link led to a 404 error.
operational
In use or functioning effectively.
Example:The operational status of the server was confirmed.
conflict
A disagreement or clash of opinions or interests.
Example:The conflict of opinions delayed the decision.
assertion
A confident statement of fact or belief.
Example:His assertion about the data was later proven false.
Practice C2 words in a crossword