Missouri Gov. Mike Parson today threatened to prosecute and seek civil damages from a St. Louis Post-Dispatch journalist who identified a security flaw that exposed the Social Security numbers of teachers and other school employees, claiming that the journalist is a “hacker” and that the newspaper’s reporting was nothing more than a “political vendetta” and “an attempt to embarrass the state and sell headlines for their news outlet.” The Republican governor also vowed to hold the Post-Dispatch “accountable” for the supposed crime of helping the state find and fix a security vulnerability that could have harmed teachers.
Despite Parson’s surprising description of a security report that normally wouldn’t be particularly controversial, it appears that the Post-Dispatch handled the problem in a way that prevented harm to school employees while encouraging the state to close what one security professor called a “mind-boggling” vulnerability. Josh Renaud, a Post-Dispatch web developer who also writes articles, wrote in a report published yesterday that more than 100,000 Social Security numbers were vulnerable “in a web application that allowed the public to search teacher certifications and credentials.” The Social Security numbers of school administrators and counselors were also vulnerable.
“Though no private information was clearly visible nor searchable on any of the web pages, the newspaper found that teachers’ Social Security numbers were contained in the HTML source code of the pages involved,” the report said.
The Post-Dispatch seems to have done exactly what ethical security researchers generally do in these situations: give the organization with the vulnerability time to close the hole before making it public.
“The newspaper delayed publishing this report to give the department time to take steps to protect teachers’ private information and to allow the state to ensure no other agencies’ web applications contained similar vulnerabilities,” the article said. The news report was published one day after the “department removed the affected pages from its website.”
As of this writing, the DESE’s educator-credentials checker was “down for maintenance.”
Governor: Journalist tried to “harm Missourians”
Parson described the journalist as a “perpetrator” who “took the records of at least three educators, decoded the HTML source code, and viewed the Social Security number of those specific educators” in an “attempt to steal personal information and harm Missourians.”
Major web browsers include options such as “view source” or “view page source” to look at a webpage’s HTML, so anything in that code is easily available. The initial Post-Dispatch article didn’t go into detail about how the Social Security numbers were obtained from HTML source code, but a follow-up article about Parson’s legal threats today said that the “teachers’ Social Security numbers were present in the publicly visible HTML source code of the pages involved.” The numbers weren’t available in plain text but were easily converted, the Post-Dispatch continued:
The data on DESE’s website was encoded but not encrypted, said Shaji Khan, a cybersecurity professor at the University of Missouri-St. Louis—and that’s a key distinction. No one can view encrypted data without the specific decryption key used to hide the data. But encoded just means the data is in a different format and can be relatively easily decoded and viewed.