The reporter responsibly disclosed the vulnerability
Missouri Governor Mike Parson is threatening legal action against a reporter and newspaper that found and responsibly disclosed a security vulnerability that left teacher and educational staffsā social security numbers exposed and easily accessible.
The St. Louis Post-Dispatch reports that it notified the Missouri Department of Elementary and Secondary Education (DESE) that one of its tools was returning HTML pages that contained employee SSNs, potentially putting the information of over 100,000 employees at risk. Despite the fact that the outlet waited until the tool was taken down by the state to publish its story, the reporter has been called a āhackerā by Governor Parson, who says heāll be getting the county prosecutor and investigators involved.
According to the Post-Dispatch, the tool that contained the vulnerability was designed to let the public see teachersā credentials. However, it reportedly also included the employeeās SSN in the page it returned ā while it apparently didnāt appear as visible text on the screen, KrebsOnSecurity reports that accessing it would be as easy as right-clicking on the page and clicking Inspect Element or View Source.
Seeing employeeās SSNs was reportedly as easy as clicking View Source
While the reporter followed standard protocols for disclosing and reporting on the vulnerability, the governor is treating him as if he attacked the site or was trying to access the teacherās private information for nefarious purposes.
In a press conference, Governor Parson described the reporterās actions as ādecoding the HTML source code,ā which makes it seem suspicious and clandestine. He is, however, literally describing how viewing a website works ā itās the serverās job to send an HTML file to your computer so you can view it, and anything included in that file isnāt secret (even if itās not physically visible on your screen when viewing that webpage). Governor Parson says that nothing on DESEās website gave users permission to access the SSN data, but it was being freely provided.
You can view the governorās full press conference below.
The Kupon4U has reached out to Missouri DESE to clarify whether the tool was publicly accessible or required logging in, and in response, the DESE says its only comment (due to the ongoing investigation) is that the data is now protected. Of course, it being accessible at all is an issue, regardless of whether it was behind a login.
The governorās response flies in the face of standard practice
Missouriās response is, to put it lightly, the exact opposite of standard practice. Many organizations have bug or security bounties worth hundreds of thousands of dollars, which theyāll pay to hackers who find and responsibly disclose flaws like these. The reason these exist is that theyāll make your systems safer ā yes, people will look for and find vulnerabilities, but there was likely already somebody doing that anyways. With a bug bounty, theyāre telling you so you can fix it rather than selling that info on the dark web or using it for personal gain. Obviously, those kinds of sums arenāt reasonable for school districts, which often have underfunded IT departments due to shrinking budgets, but thereāre a lot of options between paying out large sums of money and threatening legal action.
Governor Parson says that the incident could cost the stateās taxpayers $50 million. If a malicious hacker had found the treasure trove of SSNs, it likely wouldāve been even more expensive: the state still wouldāve had to fix the system, and itād have teachers who would have solid claims against it if they needed identity protection services.
You still have to patch vulnerabilities even if youāre not publicly called out for them
Governor Parson (along with a press release by the Office of Administration) clarifies that the SSNs were only accessible one at a time ā a list of all employeesā private info wasnāt included in the HTML files. But as anyone whoās watched the opening scene of The Social Network knows, it can be trivial for hackers to download all the pages from an application and strip specific pieces of information out of them. Just because the reporter didnāt do it (it wouldāve arguably been irresponsible if he had) doesnāt mean that it wasnāt possible and doesnāt speak to good security practices.
Prosecuting this disclosure will put people in Missouri at risk
To be clear: prosecuting the reporter, news outlet, and anyone involved will only serve to put people in Missouri at risk because no one will want to report security flaws theyāve found in public systems if the stateās response will be sending law enforcement after them. Security flaws like this are extremely unfortunate, but they will inevitably happen (the Post-Dispatch reports that the DESE was found to have been storing student SSNs by an audit in 2015). With public entities and companies alike, the real test isnāt whether it happens but how you respond to it. Unfortunately, it seems like Governor Parson is failing that test.
Updated October 14th, 5:52PM ET: Updated to reflect comment from the DESE.