This Exam System's Security Flaw Exposed Everything
Key Takeaways
Analyzes the security flaws in the On-Screen Marking exam system
Original Description
A system that grades the exams of nearly two million students was left wide open by a handful of basic security mistakes — the kind you find in the first few chapters of any web security course.
In this video we break down exactly what went wrong with the On-Screen Marking (OSM / OnMark) portal used by CBSE: a login you could bypass right in the browser, a master password sitting in plain text, broken access control (IDOR), and an Amazon S3 bucket anyone could list without logging in. Then we do the part that matters most — how a system like this should actually be designed so it never breaks this way.
Whether you are a student trying to understand what really happened, or a junior engineer who never wants to ship these bugs, this one is for you.
🔐 Cybersecurity for Software Engineers is in beta. Last few seats, and 10 new videos drop this week:
👉 https://academy.bytemonk.io/cybersec
The full System Design path is here too:
👉 https://academy.bytemonk.io/systemdesign
📚 Related Resources:
→ ByteMonk Blog: https://blog.bytemonk.io/
→ System Design Course: https://academy.bytemonk.io/cybersec
→ LinkedIn: https://www.linkedin.com/in/bytemonk/
→ Github: https://github.com/bytemonk-academy
⏱️ Timestamps
0:00 The exam system that broke
1:07 How on-screen marking actually works
2:16 Flaw #1 — Trusting the browser (auth bypass)
3:45 Flaw #2 — A master password in plain sight
4:31 Flaw #3 — Broken access control (IDOR)
6:48 Flaw #4 — The open S3 bucket
9:39 "We're under attack" — DoS, explained
11:01 How to design it securely
11:53 What CBSE should fix
12:42 Recap + resources
⚠️ This video is for educational and defensive-security purposes only. It explains common vulnerability classes and secure system design. It does not provide instructions to attack any live system. The vulnerabilities discussed were reported by independent researchers and acknowledged publicly by the board; some specific researcher claims remain independently unverified and are described as claim
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Related Reads
Chapters (10)
The exam system that broke
1:07
How on-screen marking actually works
2:16
Flaw #1 — Trusting the browser (auth bypass)
3:45
Flaw #2 — A master password in plain sight
4:31
Flaw #3 — Broken access control (IDOR)
6:48
Flaw #4 — The open S3 bucket
9:39
"We're under attack" — DoS, explained
11:01
How to design it securely
11:53
What CBSE should fix
12:42
Recap + resources
🎓
Tutor Explanation
DeepCamp AI