























“NTA’s Re-examination portal has a superadmin login bypass by using extremely weak credentials,” wrote Dubai-based cybersecurity researcher Rylen Anil.
He further said that this vulnerability exposed the content related to Personally Identifiable Information (PII). “This exposes bulk user data: ~7.9k observers, 676 CCs, 5.4k CS/centers, including names, emails, and phone numbers,” he added.
“Beyond leaking data, the bypass gives access to the superadmin dashboard itself. From there, the portal exposes admin functions to manage observers. It also has controls to export CSVs, generate/download appointment letters, upload templates, upload nodal officer mappings, etc.,” he further wrote on X.

At the time of writing this report, the URL shared by Anil is inaccessible. The 404 error notice read: “The requested URL was not found on this server.” However, after a few hours of Anil’s post, a X user posted a screenshot of the site being publicly accessible on a mobile network.
CBSE’s Digilocker portal is also compromised: He posted another vulnerability in CBSE’s DigiLocker portal. He said that it “uses client-side AES encryption with a hard-coded passphrase.” “All the encryption logic is in a public JS file where anyone can read it. This makes the login encryption easy to copy and not a real security boundary,” he further added. He didn’t disclose if he had reported these incidents to NTA, CERT-IN, or CBSE.
What it means: CBSE’s DigiLocker portal encrypts login data using AES, a strong encryption standard, but does so entirely in the user’s browser using a fixed, hard-coded passphrase. He demonstrated that all the encryption logic, including that passphrase, is stored in a publicly readable JavaScript file that anyone can access using standard browser developer tools, rendering the protection meaningless. An attacker who intercepts login traffic already has everything needed to decrypt the encrypted keys, since the key and the algorithm are openly available within the JavaScript.
What is NTA? NTA (National Test Agency) is India’s organisation responsible for conducting competitive national-level entrance examinations for various students. For example:
Quick recap of CBSE’s recent vulnerability: On May 22, Nisarga Adhikary publicly exposed the security vulnerabilities of the Central Board of Secondary Education (CBSE) On-Screen Marking (OSM) system. He posted the blog after CERT-In failed to act to fix OSM’s systems, despite flagging the issue to India’s cybersecurity agency over three months ago.
After more than a week, on May 31, CBSE finally acknowledged the vulnerability and said, “an expert team of cybersecurity professionals has been deployed over the last few days.” They also claimed that identified vulnerabilities were contained and other exploitable weaknesses were being ruled out.
You can read MediaNama’s coverage of this incident here: [Link-1 | Link-2 ]
We have reached out to NTA, CERT-In and CBSE for a comment. We will update the copy if we receive a response.
AI disclosure: We used Claude to understand a few technical concepts.
Also Read:
For You
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。