Missouri Governor Mike Parson is threatening legal action against a reporter and newspaper that found and responsibly disclosed a security vulnerability that left teacher and educational staffs’ social security numbers exposed and easily accessible.
The St. Louis Post-Dispatch reports that it notified the Missouri Department of Elementary and Secondary Education (DESE) that one of its tools was returning HTML pages that contained employee SSNs, potentially putting the information of over 100,000 employees at risk. Despite the fact that the outlet waited until the tool was taken down by the state to publish its story, the reporter has been called a “hacker” by Governor Parson, who says he’ll be getting the county prosecutor and investigators involved.
According to the Post-Dispatch, the tool that contained the vulnerability was designed to let the public see teachers’ credentials. However, it reportedly also included the employee’s SSN in the page it returned — while it apparently didn’t appear as visible text on the screen, KrebsOnSecurity reports that accessing it would be as easy as right-clicking on the page and clicking Inspect Element or View Source.
Seeing employee’s SSNs was reportedly as easy as clicking View Source
While the reporter followed standard protocols for disclosing and reporting on the vulnerability, the governor is treating him as if he attacked the site or was trying to access the teacher’s private information for nefarious purposes.
In a press conference, Governor Parson described the reporter’s actions as “decoding the HTML source code,” which makes it seem suspicious and clandestine. He is, however, literally describing how viewing a website works — it’s the server’s job to send an HTML file to your computer so you can view it, and anything included in that file isn’t secret (even if it’s not physically visible on your screen when viewing that webpage). Governor Parson says that nothing on DESE’s website gave users permission to access the SSN data, but it was being freely provided.
You can view the governor’s full press conference below.
The Verge has reached out to Missouri DESE to clarify whether the tool was publicly accessible or required logging in, and in response, the DESE says its only comment (due to the ongoing investigation) is that the data is now protected. Of course, it being accessible at all is an issue, regardless of whether it was behind a login.
The governor’s response flies in the face of standard practice
Missouri’s response is, to put it lightly, the exact opposite of standard practice. Many organizations have bug or security bounties worth hundreds of thousands of dollars, which they’ll pay to hackers who find and responsibly disclose flaws like these. The reason these exist is that they’ll make your systems safer — yes, people will look for and find vulnerabilities, but there was likely already somebody doing that anyways. With a bug bounty, they’re telling you so you can fix it rather than selling that info on the dark web or using it for personal gain. Obviously, those kinds of sums aren’t reasonable for school districts, which often have underfunded IT departments due to shrinking budgets, but there’re a lot of options between paying out large sums of money and threatening legal action.
Governor Parson says that the incident could cost the state’s taxpayers $50 million. If a malicious hacker had found the treasure trove of SSNs, it likely would’ve been even more expensive: the state still would’ve had to fix the system, and it’d have teachers who would have solid claims against it if they needed identity protection services.
You still have to patch vulnerabilities even if you’re not publicly called out for them
Governor Parson (along with a press release by the Office of Administration) clarifies that the SSNs were only accessible one at a time — a list of all employees’ private info wasn’t included in the HTML files. But as anyone who’s watched the opening scene of The Social Network knows, it can be trivial for hackers to download all the pages from an application and strip specific pieces of information out of them. Just because the reporter didn’t do it (it would’ve arguably been irresponsible if he had) doesn’t mean that it wasn’t possible and doesn’t speak to good security practices.
Prosecuting this disclosure will put people in Missouri at risk
To be clear: prosecuting the reporter, news outlet, and anyone involved will only serve to put people in Missouri at risk because no one will want to report security flaws they’ve found in public systems if the state’s response will be sending law enforcement after them. Security flaws like this are extremely unfortunate, but they will inevitably happen (the Post-Dispatch reports that the DESE was found to have been storing student SSNs by an audit in 2015). With public entities and companies alike, the real test isn’t whether it happens but how you respond to it. Unfortunately, it seems like Governor Parson is failing that test.
Updated October 14th, 5:52PM ET: Updated to reflect comment from the DESE.