The 16-year-old in Dubai who exposed India's most critical exam portals and reported what he found

Dubai: Rylen Anil woke up one morning to find his phone flooded with notifications. By the time the school day ended, his mum had already seen the headlines. A 16-year-old hacker had breached two of India's most high-stakes examination systems and that teenager was her son.

Anil, a Class 12 CBSE student based in Dubai, had spent the previous evening probing the digital infrastructure behind JEE Advanced and NEET, two examinations that determine university admissions for millions of students across India.

Having identified serious vulnerabilities in both portals, he reported his findings to CERT-In, India's national cybersecurity response team, then shared what he had discovered on X.

"It took me about three to four hours to get into both platforms. Once I did that, I reported the vulnerabilities to CERT-In, then posted about it on X (Twitter). That's how people learned about it," he told Gulf News.

By morning, Indian news publications were running the story.

"I didn't tell my parents I had done this," Anil said. "I woke up and went to school, and my mum saw headlines about a 16-year-old hacker. She called me. At first my parents were worried, but my dad comes from a tech background, so I explained it to him and he understood and they were proud of me."

Anil's investigation uncovered two distinct types of security failures. In the case of JEE Advanced 2026, the problem was a misconfiguration in publicly accessible cloud storage. With no authentication required, bulk candidate data was left exposed, including 179,600 result records and 187,300 admit-card PDFs containing candidate names, dates of birth, and mobile numbers.

"They had stored all of their result details and admit cards on one server, and that server had a misconfiguration in how it was set up," Anil explained. "Using that misconfiguration, I was able to access and retrieve all the data.”

The NEET system presented a different but equally serious problem: dangerously weak credentials on its super-admin portal. "Through bypassing these vulnerabilities, I could see not only the sensitive information of students, but also their parents'," Anil said.

Anil was careful in how he disclosed his findings, redacting personal details and photographs in any public posts, and later clarifying that no JEE candidate data had been leaked in full. He downloaded a small number of files solely for verification purposes and deleted them afterwards.

Anil's findings did not stop at NEET and JEE. Working alongside a fellow ethical hacker named Nisarga, he also identified a critical vulnerability in the OnMark evaluation portal, part of the CBSE's On-Screen Marking (OSM) system used to mark board examination papers. The initial access came through guessable credentials.

Once inside, the pair found that evaluator emails, usernames, passwords, phone numbers, institution details, and subject assignments were all exposed.

The same access enabled them to pivot into evaluator accounts, where scanned answer scripts and the live marking interface were accessible. The vulnerability was reported to CERT-In promptly, the portal has since been fixed and taken offline.

The reaction from officials was swift and largely appreciative. IT staff from IITs and the National Testing Agency (NTA) contacted Anil to thank him, requested further technical details, and moved to address the issues. IIT Roorkee publicly acknowledged the vulnerability on X.

"So far the response has been appreciative," Anil said. "They are now trying to resolve the issues. I think it's important that they are showing a willingness to listen and that they are also resolving them quickly.”

Several IITs (Indian Institutes of Technology) have since posted official statements on X, saying they made emergency technical fixes to help candidates who couldn't access their admit cards. These fixes briefly caused a minor misconfiguration in a cloud storage system.

"An ethical hacker, Mr. Rylen Anil, identified this misconfiguration and reported that he could access the concerned database. The issue was immediately rectified, and access to the data was restricted."

Anil is not alone. He is part of a small but growing network of young ethical hackers in India who have been scrutinising the country's education technology infrastructure. Peers such as Nisarga and Sarthak Sidhant, both teenagers, have been equally active.

In a notable development, Sarthak Sidhant, aged 17, appeared before a Parliamentary Standing Committee to present findings on alleged irregularities in the CBSE's tendering process for its On-Screen Marking system. For Anil, the appearance signals that the work being done by this group of young researchers is being taken seriously at the highest levels.

"Ethical hacking can expose vulnerabilities in normal portals of organisations, making them eventually more secure. The Indian government should use ethical hackers to find vulnerabilities in major platforms before malicious attackers do,” Anil, said. 

"Major corporations like Google, Microsoft, Amazon, and Meta employ ethical hackers to proactively find vulnerabilities," Anil noted. "I think the Indian government should do the same, not just in education but across all major platforms and portals that store sensitive data."

He also raised the possibility of undiscovered flaws still lurking in existing systems. "Some of these portals may have other vulnerabilities that have not yet been found. If bad actors find them first, the consequences could be serious."

To understand how a 16-year-old came to identify security flaws in infrastructure used by millions, the answer lies in computer classes and a passion for gaming that dates back to eighth grade.

"Ever since eighth grade, I've been exploring computer systems," Anil said. "I learnt a lot about cybersecurity and Linux, that's where I found my passion. Those experiences all came together in what I achieved here."

As for what comes next, Anil is clear-eyed about his ambitions. He plans to study cybersecurity at university and, one day, to become a chief information security officer.