This Exam System's Security Flaw Exposed Everything

ByteMonk · Beginner ·🔐 Cybersecurity ·1mo ago

Key Takeaways

Analyzes the security flaws in the On-Screen Marking exam system

Original Description

A system that grades the exams of nearly two million students was left wide open by a handful of basic security mistakes — the kind you find in the first few chapters of any web security course. In this video we break down exactly what went wrong with the On-Screen Marking (OSM / OnMark) portal used by CBSE: a login you could bypass right in the browser, a master password sitting in plain text, broken access control (IDOR), and an Amazon S3 bucket anyone could list without logging in. Then we do the part that matters most — how a system like this should actually be designed so it never breaks this way. Whether you are a student trying to understand what really happened, or a junior engineer who never wants to ship these bugs, this one is for you. 🔐 Cybersecurity for Software Engineers is in beta. Last few seats, and 10 new videos drop this week: 👉 https://academy.bytemonk.io/cybersec The full System Design path is here too: 👉 https://academy.bytemonk.io/systemdesign 📚 Related Resources: → ByteMonk Blog: https://blog.bytemonk.io/ → System Design Course: https://academy.bytemonk.io/cybersec → LinkedIn: https://www.linkedin.com/in/bytemonk/ → Github: https://github.com/bytemonk-academy ⏱️ Timestamps 0:00 The exam system that broke 1:07 How on-screen marking actually works 2:16 Flaw #1 — Trusting the browser (auth bypass) 3:45 Flaw #2 — A master password in plain sight 4:31 Flaw #3 — Broken access control (IDOR) 6:48 Flaw #4 — The open S3 bucket 9:39 "We're under attack" — DoS, explained 11:01 How to design it securely 11:53 What CBSE should fix 12:42 Recap + resources ⚠️ This video is for educational and defensive-security purposes only. It explains common vulnerability classes and secure system design. It does not provide instructions to attack any live system. The vulnerabilities discussed were reported by independent researchers and acknowledged publicly by the board; some specific researcher claims remain independently unverified and are described as claim
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Related Reads

📰
IDOR simple way with no burpsuite banged P3
Learn a simple way to identify IDOR vulnerabilities without using Burpsuite, and understand the impact and reporting of such vulnerabilities
Medium · Cybersecurity
📰
OneLake Security Just Hit GA.
OneLake Security hits general availability, enhancing Microsoft's security capabilities
Medium · Data Science
📰
How Cyber Security Consultants in Perth Help Businesses Strengthen IT Protection
Learn how cyber security consultants in Perth can help businesses strengthen IT protection and prevent cyber threats
Medium · Cybersecurity
📰
How to PASS CISSP exam in one-go for REAL
Learn how to pass the CISSP exam in one attempt with tips from a personal experience, focusing on careful question reading and technique application.
Medium · Cybersecurity

Chapters (10)

The exam system that broke
1:07 How on-screen marking actually works
2:16 Flaw #1 — Trusting the browser (auth bypass)
3:45 Flaw #2 — A master password in plain sight
4:31 Flaw #3 — Broken access control (IDOR)
6:48 Flaw #4 — The open S3 bucket
9:39 "We're under attack" — DoS, explained
11:01 How to design it securely
11:53 What CBSE should fix
12:42 Recap + resources
Up next
Best VPN For China 2026 — Which One Actually Works?
Tutorial Stack
Watch →