A Missouri politician has been relentlessly mocked on Twitter after demanding the prosecution of a journalist who found and responsibly reported a vulnerability in a state website.
Mike Parson, governor of Missouri, described reporters for local newspaper the St Louis Post Dispatch (SLPD) as "hackers" after they discovered a web app for the state's Department of Elementary and Secondary Education was leaking teachers' private information.
Around 100,000 social security numbers were able to be exposed when the web app was loaded in a user's browser. The public-facing app was intended to be used by local schools to check teachers' professional registration status. So users could tell between different teachers of the same name, it would accept the last four digits of a teacher's social security number as a valid search string.
It appears that in the background, the app was retrieving the entire social security number and exposing it to the end user.
The SLPD discovered this by viewing a search results page's source code. "View source" has been a common feature of web browsers for years, typically available by right-clicking anywhere on a webpage and selecting it from a menu.
SLPD reporters told the Missouri Department of Education about the flaw and held off publicising it so officials could fix it – but that wasn't good enough for the governor.
"The state is committed to bring to justice anyone who hacked our system and anyone who aided and abetted them to do so," Parson said, according to the Missouri Independent news website. He justified his bizarre outburst by saying the SLPD was "attempting to embarrass the state and sell headlines for their news outlet."
Clues about official attitudes towards the breach can be found in the Missouri Office of Administration's public statement about it, which implausibly claimed just three teachers' personal data was compromised.
"Through a multi-step process, a hacker took the records of at least three educators, decoded the HTML source code, and viewed the social security number (SSN) of those specific educators," it claimed in a statement that went on to cite Jeff Wann, the Missouri state CIO.
- German Pirate Party member claims EU plans for a GDPR-compliant Whois v2 will lead to 'doxxing and death lists'
- 3D printing site Thingiverse suffers breach of 228,000 email addresses amid sluggish disclosure
- Judge in UK rules Amazon Ring doorbell audio recordings breach data protection laws
- Twitch increases bug bounty payouts after source code leak by... wait, is that it?
Proving his lack of technical awareness, Parson decided to broadcast his idiotic calls for prosecution on Twitter.
Through a multi-step process, an individual took the records of at least three educators, decoded the HTML source code, and viewed the SSN of those specific educators.— Governor Mike Parson (@GovParsonMO) October 14, 2021
We notified the Cole County prosecutor and the Highway Patrol’s Digital Forensic Unit will investigate. pic.twitter.com/2hkZNI1wXE
Inevitably, technically aware users responded to him with all the grace he deserved.
There are other amusing memes poking fun at the man, but, like Governor Parson, Reg readers are quite capable of clicking links, using basic web browser functionality, and viewing the rest for themselves on Twitter. You don't even need to press F12 to see them. ®
Jen Easterly, director of the federal CISA cybersecurity agency, took to Twitter herself this afternoon with a clear statement of how sensible US government officials treat vuln disclosures.
We strongly encourage all organizations to implement an effective vulnerability disclosure policy (VDP).— Jen Easterly (@CISAJen) October 15, 2021
Learn more about VDP --> Last week @beauwoods, @InsiderPhD, & @spacerog gave us the hacker perspective on vulnerabilities & disclosures: https://t.co/u6nIYHYhC1 (2/2)