Days after drawing national attention with allegations of security flaws in CBSE's digital infrastructure, 19-year-old ethical hacker Nisarga Adhikary has joined IIT Kanpur's cybersecurity innovation hub.
Adhikary has been appointed as an Open-Source Intelligence (OSINT) and Threat Intelligence Engineer at C3iHub, IIT Kanpur's technology innovation centre focused on cybersecurity. His LinkedIn profile states that he is currently working in OSINT and threat intelligence at the institute.
CBSE allegations brought him into the spotlight
The appointment follows a series of claims made by Adhikary regarding vulnerabilities in CBSE's digital systems.
In posts on X, he alleged that scanned answer sheets and question papers linked to CBSE were publicly accessible due to a cloud storage configuration issue. According to him, an AWS storage bucket containing 2026 answer sheets and question papers could be accessed without authentication.
"Anyone on the internet can download any scanned booklet," he wrote in one of the posts.
The claims quickly gained traction online, with users expressing concerns over student privacy and the security of examination-related data.
Claims about vulnerabilities in the OSM portal
Adhikary had earlier claimed to have discovered security flaws in CBSE's On-Screen Marking (OSM) portal.
In a blog post, he said he identified the vulnerabilities in February and reported them to CERT-In before disclosing them publicly.
According to his account, the flaws could have enabled unauthorised access to parts of the evaluation system.
What vulnerabilities did he claim to find?
According to the blog, the alleged vulnerabilities included a "hardcoded master password" visible inside the portal's JavaScript bundle, client-side OTP validation, missing route protections, password reset flaws and what he described as a "systemic IDOR vulnerability".
Explaining the ease with which he claimed the flaws could be exploited, Adhikary wrote:
"One of the hardest things was not exploitation," he wrote, "The hardest part was reading a JavaScript file and editing a couple of values in DevTools."
He also criticised the portal's OTP verification mechanism.
"A security control that runs on the attacker's machine isn't a control at all," he wrote.
Referring to the alleged implementation of OTP validation, Adhikary claimed that OTP verification was effectively meaningless because "the browser grades its own test".
Move to IIT Kanpur
Amid the attention generated by his disclosures, Adhikary has now joined IIT Kanpur's C3iHub, a move that places him within one of India's leading cybersecurity research and innovation ecosystems.
The development comes as discussions around cybersecurity, responsible disclosure and the security of digital education platforms continue to gain prominence.
