Missouri Governor Vows Criminal Prosecution of Reporter Who Found SSNs Exposed in Public Website Source ⇥ stltoday.com
Josh Renaud, St. Louis Post-Dispatch:
The Post-Dispatch discovered the vulnerability in a web application that allowed the public to search teacher certifications and credentials. The department removed the affected pages from its website Tuesday after being notified of the problem by the Post-Dispatch.
Based on state pay records and other data, more than 100,000 Social Security numbers were vulnerable.
Though no private information was clearly visible nor searchable on any of the web pages, the newspaper found that teachers’ Social Security numbers were contained in the HTML source code of the pages involved.
The Post-Dispatch did the right thing when its reporters found this boneheaded privacy flaw in the website: it notified the department responsible, and held off disclosing the problem until it had been fixed just a couple days later. Job done, right?
Jason Hancock, Missouri Independent:
But by Thursday, Gov. Mike Parson was labeling the Post-Dispatch reporter a “hacker” and vowing to seek criminal prosecution.
“The state does not take this matter lightly,” Parson said Thursday at a hastily called press conference. He refused to take questions afterward.
On Twitter, Parson elaborated:
Through a multi-step process, an individual took the records of at least three educators, decoded the HTML source code, and viewed the SSN of those specific educators.
We notified the Cole County prosecutor and the Highway Patrol’s Digital Forensic Unit will investigate.
“Decoding” HTML — what a concept.
The state should be sending these reporters a “thank you” card and an Edible Arrangement, not charging them as criminals for viewing the public source code of the website.
Reminds me a little of that incident last month with a vaccination status app, and its fragile CEO. If anyone finds a security vulnerability and responsibly discloses it, they should be thanked publicly and paid. That goes for small businesses, large corporations, and governments alike.