Olivia
Online
Palani Kumar
@PalaniGCT
Student at DoMS, IIT Madras
Chennai
Joined December 2012
179 Following
52 Followers
28 Posts
be @ni5arga
→ 19 years old, from West Bengal, studied in Delhi for a few years
→ just finished his own Class 12 exams in 2026
→ calls himself a hobbyist cybersecurity researcher
→ says he is an engineer, not a hacker
→ built an OSINT engine, a stock-tracking TUI, a pastebin in Rust
→ once found bugs in FOSS United and disclosed them quietly
→ just another CBSE student watching his own board roll out a new digital marking system
then he opened the portal
→ CBSE moves Class 12 evaluation to On-Screen Marking, 1.8 million students affected
→ Nisarga sees the portal link is fully public, gets curious
→ opens DevTools, downloads the Angular JavaScript bundle
→ first vulnerability found in 30 minutes
→ a literal master password sitting in plain text inside the frontend code
→ enter it, the OTP field auto-fills, the entire login flow gets bypassed
→ OTP validation happens in the user's browser, not on the server
→ no route guards, every internal page reachable by editing browser storage
→ password reset API never checks the old password
→ systemic IDOR across the entire API, change one value in sessionStorage, become any examiner
→ outcome: take over any teacher account, view answer sheets, edit marks
25 February 2026. He reports everything to CERT-In the same day.
→ CERT-In asks for a screen recording, he sends a full walkthrough
→ acknowledgement comes back as a boilerplate reply
→ reference number assigned: CERTIn-16590126
→ he follows up multiple times. no response.
→ three months pass. portal still live. Class 12 results released. vulnerabilities still there.
→ 22 May: publishes the blog post and a thread on X
→ Deedy Das, Satish Acharya, Internet Freedom Foundation amplify it
→ the post goes viral
→ CBSE issues a clarification: that was just a test portal, no breach
→ the URL CBSE cited in their own tweet was not even a registered domain
→ a friend buys the domain and points it at Nisarga's blog
→ CBSE quietly deletes the tweet
then it gets worse
→ 25 May: finds an SQL injection vulnerability on the live production portal
→ reports to CERT-In, gets a one-line thank you
→ gains admin access to the live https://t.co/1WpmNGsczK server
→ portal stays up for four more hours
→ he uploads anime videos and memes, links them publicly from CBSE servers
→ plays a viral Japanese song on a CBSE page, makes the news for it
→ CBSE finally takes the whole portal down
then he reads the database
→ master table accessed: 10 GB, 9.3 million records
→ examiner names, addresses, school names, bank account details
→ passwords stored in plain text
→ login tokens anyone can paste into a browser to log in as that user
→ 31 May: finds a second live CBSE production portal, 45,074 records of failed payments
→ emails, phone numbers, payment IDs, order IDs, all readable
→ 31 May, the bigger one: an AWS S3 bucket is misconfigured
→ ListObjectsV2 works without authentication, the bucket root is listable
→ samples pulled from 18 lakh scanned 2026 answer sheets, every subject
→ multiple institutions sharing the same bucket
→ also notices something strange in the scans: bedsheets visible in the background of answer sheets CBSE paid for proper scanners to handle
CBSE responds
→ posts an AI-generated image saying the system is robust and secure
→ three days later admits some vulnerabilities existed and have been contained
→ refuses to name the cybersecurity firm doing the audit
→ claims they tried contacting him. he says they have not.
→ Internet Freedom Foundation writes to the Ministry of Education and CERT-In
→ asks for an investigation into CBSE, a review of the contract with vendor Coempt EduTeck, a full audit
→ he points out he could have sold this data and made a lot of money
→ he did not. he is a CBSE student too.
→ his own analogy: the door wasn't just unlocked. the key was lying on the ground in front of everyone.
a 19-year-old with a anima pff broke a national exam evaluation system in 30 minutes with browser developer tools and the government is still pretending it was a test environment
All media channels, digital platforms and individuals are advised to refrain from live coverage or real-time reporting of defence operations and movement of security forces. Disclosure of such sensitive or source-based information may jeopardize operational effectiveness and endanger lives. Past incidents like the #KargilWar, 26/11 attacks, and the #Kandahar hijacking underscore the risks of premature reporting. As per clause 6(1)(p) of the Cable Television Networks (Amendment) Rules, 2021, only periodic briefings by designated officials are permitted during anti-terror operations. All stakeholders are urged to exercise vigilance, sensitivity, and responsibility in coverage, upholding the highest standards in the service of the nation. 🇮🇳
Read more: https://t.co/bHscgUBMEV
#MediaAdvisory #NationalSecurity #MIBIndia #ResponsibleReporting
@rajnathsingh
@DefenceMinIndia
@SethSanjayMP
@HQ_IDS_India
@adgpi
@indiannavy
@IAF_MCC
@PIB_India
What Rohit did is inspirational.
It reminds me of the time when I opted out of IIT Bombay after not clearing the IIT JEE exam. Took a lot of courage.
Tamil Nadu had 5.54% Real NSDP Growth Per Capita CAGR, compared to 4.43% Real GDP Growth Per Capita CAGR for India (RBI's statistics). This is Compound Annual Growth Rate (CAGR) for the 10 year period ending March 31, 2023 as the 2024 Fiscal Year still has one month left.
As a consequence, we went UP from at least 1.3 times to at least 1.44 times the Indian average per capita GDP (2011-2012 Rupee Base). (Note the state data is NET, while the National is GROSS).
Why would anyone WANT to slow TN's growth by more than 1% every year, to come down to the Indian average? In reality, the gap will likely widen further under the leadership of Hon CM @mkstalin, rather than come down to the Indian average.
The rest of the reported statement, if accurate, has worse deviations from the facts, and indeed the truth (e.g. AIIMS Madurai's construction is yet to start; the TN Governor does not even sign Legislation from the Assembly - an illogical way of working for the development of TN)
The great luxury of advanced levels of education, and widespread rational thinking - both clear outcomes of the Dravidian Ideology in Government for decades - is that the vast majority of Tamil people recognize reality, and experience progress, in their daily lives. So they cannot be duped into believing gross falsehoods
Ultimately, the people get the Government they elect, and then experience the differing outcomes they chose at the booth..
Can English commentators pls stop saying brilliant captaincy by Ben Stokes every 3 seconds for basically changing field every 2 balls. It's not a revolutionary approach that you think it is. It just causes slow over rate due to which your team's almost bottom of table.
I saw the Dhruv Rathee video.
I also saw the Twitter reactions to the video.
Dhruv Rathee uses facts to attack a person.
Twitter warriors attack the person instead of combating the facts.
@Olacabs @Uber_India Consider adding a feature to report Auto/Cab drivers who watch Youtube videos or use Mobile phone while driving. Would be a great initiative for safer roads…
@tim_cook It’s high time you look into the Apple Support provided in India.Submitted my new Airpods for service for 4th time and they’re still not acknowledging/fixing the issue.Device is still in warranty and was bought on May22. To add to this, Apple phone support is a joke.
1. There are six classical languages in India -Tamil, Sanskrit, Telugu, Malayalam and Odia.
Hindi is not one of them.
For a language to be described as a Classical language, it should meet 4 criteria.
@JioCare I’m yet to get refund for JioFiber recharge transaction done on 28-Mar. Transaction not showing up in Recharge history as well. Tried calling the customer care multiple times but they don’t understand the language I speak. Your email team also isn’t that supportive.
#Corona: Lessons for Kerala from Tamilnadu. At 9.30 pm
Joe Biden should assist in peaceful transfer of power from Kohli to Rohit.
@HathwayBrdband Please let me know what I should do to stop receiving torturous calls from your telecallers. I'm out of town for a few months and already communicated the same but no help. Getting 4-5 calls everyday!
PS: Already terminated the connection still no relief
சுஜித் மீட்கப்படும் இடத்தில் , மீட்போருக்கு பிரியாணி சப்ளை செய்யும் ஒரு இஸ்லாமிய நண்பர். அவ்ளோ தான் சார் தமிழ்நாடு !!
#savesurjeeth
TN is not against Hindi, it is against forcing Hindi.
Knowing many languages is a strength. But that should be by choice and not by imposition.
And here is a deleted scene from #LKG 😉🙏 #HindiIsNotTheNationalLanguage
Irritated by the plenty of Morons on Social Media who seek this moment of tragedy to spread propaganda and hatred, when thousands, irrespective of their religion or caste, are suffering and seek your financial and moral support! #KeralaFloods #Kerala #KeralaSOS
Never lost an election since 1957. Started his career participating in an anti Hindi agitation... was very publicly anti Indira’s emergency... anti untouchability, zamindari system and religious hypocrisy. He was everything a bhakt is scared of. No wonder the hate. #Karunanidhi
Trends for you
Most Popular Users
Elon Musk 
@elonmusk
240.3M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.5M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.4M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.7M followers
KATY PERRY
@katyperry
87.1M followers
Taylor Swift
@taylorswift13
81M followers
Lady Gaga
@ladygaga
72.5M followers
Kim Kardashian
@kimkardashian
69.5M followers
Virat Kohli
@imvkohli
69.1M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.6M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.7M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.2M followers