A Missouri politician has been relentlessly mocked on Twitter after demanding the prosecution of a journalist who found and responsibly reported a vulnerability in a state website.
Mike Parson, governor of Missouri, described reporters for local newspaper the St Louis Post Dispatch (SLPD) as “hackers” after they discovered a web app for the state’s Department of Elementary and Secondary Education was leaking teachers’ private information.
Around 100,000 social security numbers were able to be exposed when the web app was loaded in a user’s browser. The public-facing app was intended to be used by local schools to check teachers’ professional registration status. So users could tell between different teachers of the same name, it would accept the last four digits of a teacher’s social security number as a valid search string.
It appears that in the background, the app was retrieving the entire social security number and exposing it to the end user.
The SLPD discovered this by viewing a search results page’s source code. “View source” has been a common feature of web browsers for years, typically available by right-clicking anywhere on a webpage and selecting it from a menu.
SLPD reporters told the Missouri Department of Education about the flaw and held off publicising it so officials could fix it – but that wasn’t good enough for the governor.
“The state is committed to bring to justice anyone who hacked our system and anyone who aided and abetted them to do so,” Parson said, according to the Missouri Independent news website. He justified his bizarre outburst by saying the SLPD was “attempting to embarrass the state and sell headlines for their news outlet.”
Clues about official attitudes towards the breach can be found in the Missouri Office of Administration’s public statement about it, which implausibly claimed just three teachers’ personal data was compromised.
“Through a multi-step process, a hacker took the records of at least three educators, decoded the HTML source code, and viewed the social security number (SSN) of those specific educators,” it claimed in a statement that went on to cite Jeff Wann, the Missouri state CIO.
Proving his lack of technical awareness, Parson decided to broadcast his idiotic calls for prosecution on Twitter.
Through a multi-step process, an individual took the records of at least three educators, decoded the HTML source code, and viewed the SSN of those specific educators.
We notified the Cole County prosecutor and the Highway Patrol’s Digital Forensic Unit will investigate. pic.twitter.com/2hkZNI1wXE
— Governor Mike Parson (@GovParsonMO) October 14, 2021
Inevitably, technically aware users responded to him with all the grace he deserved.
— John Leschen (@johnleschen) October 14, 2021
— Undeadlifting (@Rorenado) October 14, 2021
There are other amusing memes poking fun at the man, but, like Governor Parson, Reg readers are quite capable of clicking links, using basic web browser functionality, and viewing the rest for themselves on Twitter. You don’t even need to press F12 to see them. ®
Jen Easterly, director of the federal CISA cybersecurity agency, took to Twitter herself this afternoon with a clear statement of how sensible US government officials treat vuln disclosures.
We strongly encourage all organizations to implement an effective vulnerability disclosure policy (VDP).
— Jen Easterly (@CISAJen) October 15, 2021