Allegations of Security Vulnerabilities within the CBSE On-Screen Marking Infrastructure

關於 CBSE 螢幕評分基礎設施存在安全漏洞之指控


Introduction

A cybersecurity researcher has alleged that the Central Board of Secondary Education's (CBSE) digital evaluation portal contains critical security flaws, a claim the board has formally contested.

一名網路安全研究人員指稱,中央中等教育委員會 (CBSE) 的數位評分門戶網站存在嚴重安全缺陷,該委員會已正式對此說法提出異議。

Main Body

The controversy centers on assertions made by Nisarga Adhikary, a 19-year-old who identifies as a software engineer. Adhikary posits that the On-Screen Marking (OSM) system, implemented for Class 12 examinations to mitigate manual totaling errors and accelerate evaluation, possesses a hard-coded 'master password' within its frontend JavaScript bundle. He contends that this vulnerability facilitates the circumvention of One-Time Password (OTP) verification, thereby granting unauthorized access to examiner accounts. According to Adhikary, such access would permit the modification of student marks, the alteration of examiner profiles, and the large-scale extraction of sensitive data. Furthermore, he alleges the existence of approximately 40 broken access control vulnerabilities and a deficient password-reset mechanism.

此次爭議的核心在於一名 19 歲且自稱為軟體工程師的 Nisarga Adhikary 所提出的主張。Adhikary 認為,為了減少人工加總錯誤並加速評分而針對 12 年級考試實施的螢幕評分 (OSM) 系統,在其前端 JavaScript 封裝中包含了一個硬編碼的「主密碼」。他主張此漏洞可使使用者繞過一次性密碼 (OTP) 驗證,進而獲取考官帳號的未經授權訪問權限。根據 Adhikary 的說法, such 訪問權限將允許修改學生分數、更改考官個人資料以及大規模提取敏感數據。此外,他指稱系統中存在約 40 個存取控制漏洞,且密碼重設機制存在缺陷。

In response to these claims, the CBSE has maintained a position of denial regarding any compromise of the live evaluation infrastructure. The administration characterized the affected URL as a testing site utilized exclusively for internal review with sample data, asserting that the actual production portal remains secure. This institutional rebuttal is contested by Adhikary, who claims to have accessed production data and hijacked the account of a verified educator during his analysis. These security allegations coincide with broader systemic criticisms; students have previously reported technical irregularities, including illegible scans and the misattribution of answer sheets, the latter of which the CBSE acknowledged as a technical error in one specific instance. Adhikary stated that his investigation was prompted by these public grievances and that he reported his findings to the Indian Computer Emergency Response Team (CERT-In) in February.

針對這些指控,CBSE 堅持否認正式評分基礎設施遭到入侵。管理層將受影響的 URL 定義為僅用於內部審查及存放樣本數據的測試網站,並聲稱實際的生產門戶網站仍然安全。然而,Adhikary 對此機構的反駁提出質疑,他聲稱在分析過程中已訪問了生產數據並盜用了某位認證教育者的帳號。這些安全指控與更廣泛的系統性批評同時發生;學生此前曾報告技術異常,包括掃描件模糊以及答題紙歸屬錯誤,後者在一個特定案例中被 CBSE 承認是技術錯誤。Adhikary 表示,他的調查是由這些公眾抱怨所觸發,並於 2 月將其發現報告給印度電腦緊急應對小組 (CERT-In)。

Conclusion

The situation remains a conflict of assertions between an independent researcher claiming systemic insecurity and the CBSE maintaining the integrity of its production environment.

目前的情況仍是獨立研究人員聲稱系統不安全,與 CBSE 主張其生產環境完整性之間的說法衝突。

Vocabulary Learning

The Architecture of Hedges and Formality in Adversarial Narratives

To ascend from B2 to C2, a student must move beyond merely reporting facts to mastering nuance, epistemic modality, and strategic distancing. In the provided text, the author avoids taking a side in a conflict, employing a sophisticated linguistic shield to maintain objectivity while describing an accusation.

⚡ The 'Verbal Buffer' Phenomenon

C2 English utilizes specific verbs and nouns to create a 'buffer' between the writer and the truth-claim. Notice the strategic deployment of:

  • Assertions / Allegations / Claims: Rather than stating "the system is broken," the author states "the controversy centers on assertions." This transforms a factual claim into a subject of discussion.
  • Posits / Contends: These are not mere synonyms for 'says.' To posit suggests the proposal of a theory for the sake of argument; to contend implies a firm position held in the face of opposition.

🔍 Semantic Precision: 'Mitigate' vs. 'Reduce'

While a B2 student might use "reduce errors," the C2 writer chooses "mitigate manual totaling errors."

  • Mitigation implies making something less severe or painful, often used in technical or legal contexts (e.g., mitigating circumstances). It acknowledges that the risk still exists but has been managed—a crucial distinction in high-level academic and technical writing.

🛠️ Syntactic Complexity: The Nominalized Chain

Observe this sequence: "This institutional rebuttal is contested by Adhikary..."

Instead of a simple clause ("The board denied it, but Adhikary disagreed"), the writer uses Nominalization (turning a verb into a noun). "Rebuttal" replaces "the act of rebutting." This allows the writer to treat an entire action as a single object, which can then be modified by a precise adjective (institutional), creating a dense, formal, and authoritative tone.

C2 Transition Tip: Stop focusing on who did what (Subject \rightarrow Verb \rightarrow Object) and start focusing on what concept is interacting with which other concept (Abstract Noun \rightarrow Passive Verb \rightarrow Agent).

Vocabulary Learning

allegations
Public accusations or claims that someone has done something wrong.
Example:The allegations against the company were quickly investigated.
controversy
A prolonged public disagreement or heated discussion.
Example:The controversy over the new policy lasted for months.
assertions
Statements that present something as fact.
Example:His assertions were supported by evidence.
posits
To put forward as a basis for argument.
Example:She posits that the data indicates a trend.
hard-coded
Written directly into a program, not adjustable.
Example:The password was hard-coded into the script.
vulnerability
A weakness that can be exploited to gain unauthorized access.
Example:The software's vulnerability was patched.
circumvention
The act of bypassing a restriction or obstacle.
Example:The circumvention of the firewall was detected.
verification
The process of confirming authenticity or correctness.
Example:Verification of the identity was required.
unauthorized
Not authorized or permitted; lacking official permission.
Example:Unauthorized access was logged.
modification
The act of changing or altering something.
Example:Modification of the file caused errors.
alteration
A change or variation from the original state.
Example:The alteration of the contract was noted.
extraction
The act of removing or obtaining something, especially data.
Example:Data extraction was performed overnight.
deficient
Lacking in quality, quantity, or effectiveness.
Example:The plan was deficient in detail.
denial
The act of refusing to admit or accept.
Example:The denial of the request was unexpected.
compromise
A state of being weakened or breached, especially in security.
Example:The compromise of the system was alarming.
infrastructure
The fundamental physical and organizational structures needed for operation.
Example:The infrastructure supports the network.
rebuttal
A refutation or counterargument to a claim.
Example:Her rebuttal addressed all points.
contested
Disputed or challenged, especially in a legal or formal sense.
Example:The contested election was delayed.
hijacked
Seized or taken over, typically by unauthorized means.
Example:The account was hijacked by a hacker.
systemic
Relating to or affecting an entire system, not just individual parts.
Example:Systemic reforms were proposed.
misattribution
Assigning a wrong source or cause to something.
Example:The misattribution of blame caused confusion.
grievances
Complaints or expressions of dissatisfaction.
Example:Employees filed grievances.
integrity
The quality of being honest and morally upright.
Example:Integrity is essential in research.
Practice C2 words in a crossword