Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet. See More →
Missouri Governor Mike Parson wants to prosecute a journalist who warned the state that a government website left school teachers and administrators' Social Security numbers exposed.
Parson called St Louis. Post-Dispatch reporter Josh Renaud a “hacker” and vowed to seek criminal prosecution at a press conference on Thursday. Renaud's "crime?" Clicking "view source" on a publicly available webpage.
“The state does not take this matter lightly,” Parson said, according to the Missouri Independent. “This administration is standing up against any and all perpetrators who attempt to steal personal information and harm Missourians.”
Parson said he referred the case to the Cole County Prosecutor and asked the Missouri State Highway Patrol to investigate as well.
On Wednesday, the St. Louis Post-Dispatch reported that a flaw in the state's Department of Elementary and Secondary Education left exposed the SSNs of the department employees, including teachers, administrators, and counselors. Renaud reported that the SSNs were visible simply by viewing the HTML source code of the vulnerable pages, something that anyone can do with two clicks on any modern browser.
The office of Gov. Parson declined to comment, and referred us to a recording of Parson’s press conference.
The way the St. Louis Post-Dispatch and Renaud handled the situation appears to be a textbook example of ethical disclosure of a bug. The paper reported having found the bug in the web app set up to allow the public to search teacher certifications and credentials. More than 100,000 SSns were exposed, according to the paper.
Once the paper alerted the state government, the department fixed the bug on Tuesday, and the paper published its story on Wednesday, once there were no risks for the teachers whose SSNs were exposed. Parson's comments are also a textbook example of government officials seemingly not having any clue how technology works, and vilifying people who do ethical security research as criminals, rather than simply thanking them for doing a public service that makes us all safer.
"The newspaper delayed publishing this report to give the department time to take steps to protect teachers’ private information, and to allow the state to ensure no other agencies’ web applications contained similar vulnerabilities," the St. Louis Post-Dispatch wrote in its article.
A spokesperson for the St. Louis Post-Dispatch shared the following statement:
“The reporter did the responsible thing by reporting his findings to the Department of Elementary and Secondary Education (DESE) so that the state could act to prevent disclosure and misuse,” the statement read. “A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent. For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded. Thankfully, these failures were discovered.”
This story has been updated to include the statement from the St. Louis Post-Dispatch spokesperson.
nosayso on October 14th, 2021 at 22:13 UTC »
There are laws protecting your personal information, the breaker of laws was the state and their shitty website.
AmHoomon on October 14th, 2021 at 22:06 UTC »
So everyone is aware, when the state published this data in the “source” they — the state — disclosed and pushed all that information to every visitor.
The journalist literally looked at HTML code the government GAVE him via a web browser.
The journalist literally broke no law.
retroracer33 on October 14th, 2021 at 22:03 UTC »
"decoded the HTML source code"
i cant even with these fucking idiots. i would absolutely sue the state for defamation.