Governor Wants to Prosecute Journalist Who Clicked ‘View Source’ on Government Site

Missouri Governor Mike Parson wants to prosecute a journalist who warned the state that a government website left school teachers and administrators’ Social Security numbers exposed. 

Parson called St Louis. Post-Dispatch reporter Josh Renaud a “hacker” and vowed to seek criminal prosecution at a press conference on Thursday. Renaud’s “crime?” Clicking “view source” on a publicly available webpage. 

“The state does not take this matter lightly,” Parson said, according to the Missouri Independent. “This administration is standing up against any and all perpetrators who attempt to steal personal information and harm Missourians.” 

Parson said he referred the case to the Cole County Prosecutor and asked the Missouri State Highway Patrol to investigate as well.

On Wednesday, the St. Louis Post-Dispatch reported that a flaw in the state’s Department of Elementary and Secondary Education left exposed the SSNs of the department employees, including teachers, administrators, and counselors. Renaud reported that the SSNs were visible simply by viewing the HTML source code of the vulnerable pages, something that anyone can do with two clicks on any modern browser.  

The office of Gov. Parson declined to comment, and referred us to a recording of Parson’s press conference. 

The way the St. Louis Post-Dispatch and Renaud handled the situation appears to be a textbook example of ethical disclosure of a bug. The paper reported having found the bug in the web app set up to allow the public to search teacher certifications and credentials. More than 100,000 SSns were exposed, according to the paper. 

Once the paper alerted the state government, the department fixed the bug on Tuesday, and the paper published its story on Wednesday, once there were no risks for the teachers whose SSNs were exposed. Parson’s comments are also a textbook example of government officials seemingly not having any clue how technology works, and vilifying people who do ethical security research as criminals, rather than simply thanking them for doing a public service that makes us all safer.

“The newspaper delayed publishing this report to give the department time to take steps to protect teachers’ private information, and to allow the state to ensure no other agencies’ web applications contained similar vulnerabilities,” the St. Louis Post-Dispatch wrote in its article.

A spokesperson for the St. Louis Post-Dispatch did not immediately respond to a request for comment.

Subscribe to our new cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.

This post has been read 7 times!

0 0 votes
Article Rating
Like
Like Love Haha Wow Sad Angry
guest
Not Optional
Optional
0 Comments
Inline Feedbacks
View all comments