Missouri governor demands prosecution for data breach report – in HTML source code of state website

A Missouri politician has been relentlessly mocked on Twitter after demanding the prosecution of a journalist who found and responsibly reported a vulnerability in a state website.

Mike Parson, governor of Missouri, described reporters for local newspaper the St Louis Post Dispatch (SLPD) as “hackers” after they discovered a web app for the state’s Department of Elementary and Secondary Education was leaking teachers’ private information.

Around 100,000 social security numbers were able to be exposed when the web app was loaded in a user’s browser. The public-facing app was intended to be used by local schools to check teachers’ professional registration status. So users could tell between different teachers of the same name, it would accept the last four digits of a teacher’s social security number as a valid search string.

It appears that in the background, the app was retrieving the entire social security number and exposing it to the end user.

The SLPD discovered this by viewing a search results page’s source code. “View source” has been a common feature of web browsers for years, typically available by right-clicking anywhere on a webpage and selecting it from a menu.

SLPD reporters told the Missouri Department of Education about the flaw and held off publicising it so officials could fix it – but that wasn’t good enough for the governor.

“The state is committed to bring to justice anyone who hacked our system and anyone who aided and abetted them to do so,” Parson said, according to the Missouri Independent news website. He justified his bizarre outburst by saying the SLPD was “attempting to embarrass the state and sell headlines for their news outlet.”


Source: Missouri governor demands prosecution for data breach report • The Register

Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft

 robin@edgarbv.com  https://www.edgarbv.com