Governor Wants to Prosecute Journalist Who Clicked ‘View Source’ on Government Site

A St. Louis Post-Dispatch journalist found 100,000 Social Security numbers exposed in a government website, and reported the flaw to the government.

Oct 14 2021, 5:59pm
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.

Missouri Gov. Mike Parson wants to prosecute a journalist who warned the state that a government website left school teachers and administrators' Social Security numbers exposed. 

Parson called St. Louis Post-Dispatch reporter Josh Renaud a “hacker” and vowed to seek criminal prosecution at a press conference on Thursday. Renaud's "crime?" Clicking "view source" on a publicly available webpage. 

“The state does not take this matter lightly,” Parson said, according to the Missouri Independent. “This administration is standing up against any and all perpetrators who attempt to steal personal information and harm Missourians.” 

Advertisement

Parson said he referred the case to the Cole County prosecutor and asked the Missouri State Highway Patrol to investigate as well.

On Wednesday, the St. Louis Post-Dispatch reported that a flaw in the state's Department of Elementary and Secondary Education left exposed the SSNs of the department employees, including teachers, administrators, and counselors. Renaud reported that the SSNs were visible simply by viewing the HTML source code of the vulnerable pages, something that anyone can do with two clicks on any modern browser.  

The office of Gov. Parson declined to comment, and referred us to a recording of Parson’s press conference. 

An error occurred while retrieving the Tweet. It might have been deleted.

The way the St. Louis Post-Dispatch and Renaud handled the situation seems like a textbook example of ethical disclosure of a bug. The paper reported having found the bug in the web app set up to allow the public to search teacher certifications and credentials. More than 100,000 SSNs were exposed, according to the paper. 

Once the paper alerted the state government, the department fixed the bug on Tuesday, and the paper published its story on Wednesday, once there were no risks for the teachers whose SSNs were exposed. Parson's comments are also a textbook example of government officials seemingly not having any clue how technology works, and vilifying people who do ethical security research as criminals, rather than simply thanking them for doing a public service that makes us all safer.

Advertisement

"The newspaper delayed publishing this report to give the department time to take steps to protect teachers’ private information, and to allow the state to ensure no other agencies’ web applications contained similar vulnerabilities," the St. Louis Post-Dispatch wrote in its article.

A spokesperson for the St. Louis Post-Dispatch shared the following statement:

“The reporter did the responsible thing by reporting his findings to the Department of Elementary and Secondary Education (DESE) so that the state could act to prevent disclosure and misuse,” the statement read. “A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent. For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded. Thankfully, these failures were discovered.”

This story has been updated to include the statement from the St. Louis Post-Dispatch spokesperson.

Subscribe to our new cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.

Tagged:

cybersecurity, missouri, CYBER, bugs, Infosec, information security, Social Security numbers, SSNs

More
like this
Woman Allegedly Hacked Flight School, Cleared Planes With Maintenance Issues to Fly
‘Urgent Pizza’: The Untold Story of the Largest Hack in Twitch’s History
Microsoft Tries, Fails to Patch Critical Windows Vulnerability. Chaos Ensues
Robinhood Says It Was Hacked and Extorted But Nobody Lost Any Money
How the Mafia Is Pivoting to Cybercrime
Ransomware Gang Says the Real Ransomware Gang Is the Federal Government
Bombshell Report Finds Phone Network Encryption Was Deliberately Weakened
Hackers Disrupt Gas Stations in Iran and Deface Billboards to Blame Supreme Leader