Missouri governor Mike Parson has been widely criticized for seeking to prosecute news reporters who disclosed a vulnerability on a state education website.
The St. Louis Post-Dispatch published a story on Wednesday about how its team discovered a web app flaw on the site that leaked teacher information, including 100,000 Social Security numbers (SSNs).
The SSNs were apparently available in the site’s source code, available to anyone who wanted to right-click on the page.
The journalists reported the security snafu to the Missouri state Department of Elementary and Secondary Education (DESE), which fixed the issue before publication of the story.
However, that hasn’t stopped Parson from a bizarre tirade against the ‘hackers’ in a press conference and on Twitter, in which he vowed to prosecute them for “unlawfully” accessing the teacher data.
“This matter is serious. The state is committing to bring to justice anyone who hacked our system and anyone who aided or encouraged them to do so – in accordance with what Missouri law allows and requires,” he said on the social media site.
Through a multi-step process, an individual took the records of at least three educators, decoded the HTML source code, and viewed the SSN of those specific educators.
— Governor Mike Parson (@GovParsonMO) October 14, 2021
We notified the Cole County prosecutor and the Highway Patrol’s Digital Forensic Unit will investigate. pic.twitter.com/2hkZNI1wXE
“Under Missouri law, a person commits the offense of tampering with computer data if he or she knowingly and without authorization accesses, takes, and examines personal information without permission. This data was not freely available and had to be converted and decoded.”
The 66-year-old Republican signed off by stating: “We will not rest until we clearly understand the intentions of this individual and why they were targeting Missouri teachers.”
Parson’s claims that the ‘hackers’ were motivated by malicious intent is undermined by his revelation that they viewed the details of only three educators.
A stream of comments beneath the social media post derides the governor and his team’s lack of cyber-savvy and question their motives for attacking the media.
Jake Williams, CTO at BreachQuest, said organizations should, in general, avoid shooting the messenger where security vulnerabilities are concerned.
“This is certainly not hacking in any sense of the word. It appears that the reporter used a publicly available web application intended to facilitate searching for teacher certifications. When the results were displayed, the reporter simply viewed the source code of the web page and found the social security numbers,” he continued.
“While governor Parson said the reporter ‘decoded the HTML source code’ in reality they simply used the feature built into every web browser since the dawn of the internet. Because HTTP is stateless, many web applications store their status in hidden form fields so they can be passed from the browser back to the server with every request. It seems likely that these hidden form fields included the social security number of the teacher.”