Missouri Governor Mike Parson has threatened legal action against a report and a newspaper that found a vulnerability in a state website.
The St. Louis Post-Dispatch reporter disclosed a website's security vulnerability that led to social security numbers of teachers and educational staff members easily accessible by anyone who knew how.
Due to the vulnerability, anyone could have had access to the social security numbers by simply right-clicking and then choosing Inspect Element or View Source.
Governor Parson, in return, called the St. Louis Post-Dispatch reporter a "hacker" whose actions were described as "decoding the HTML source code," according to a report.
Missouri Governor Threatens Legal Action Against Report
Missouri Governor Mike Parson has threatened legal action against the St. Louis Post-Dispatch and its reporter, who disclosed a security vulnerability in a state website.
According to a report by The Verge, the St. Louis Post-Dispatch "notified the Missouri Department of Elementary and Secondary Education (DESE) that one of its tools was returning HTML pages that contained employee SSNs, potentially putting the information of over 100,000 employees at risk."
"While the reporter followed standard protocols for disclosing and reporting on the vulnerability, the governor is treating him as if he attacked the site or was trying to access the teacher's private information for nefarious purposes," The Verge added.
For his efforts, the reporter had been called a "hacker" by Governor Parson, who also said the county prosecutor and investigators would be involved.
Governor Parson also said, per The Verge report, that the whole incident could cost the state and its taxpayers $50 million. The report, however, notes that it would have been more expensive for the government had a hacker actually accessed the social security numbers available due to the security vulnerability.
Security Vulnerability in DESE Site
Per the report of the St. Louis Post-Dispatch that was cited by The Verge, the tool that contained the vulnerability "was designed to let the public see teachers' credentials."
The vulnerability in the tool meant that the page also included the social security number of the person whose credentials are being viewed, which could be accessed by anyone who knows how to right-click and then choose Inspect Element or View Source.
Governor Parson insisted that the DESE's website does not give users permission to access social security numbers of teachers and staff members, but The Verge report notes that "it was being freely provided."
There have been multiple instances in the past wherein a security vulnerability could have or has actually led to private data being accessed by hackers. A recent example of which is the Microsoft Azure security vulnerability called OMIGOD.
Missouri DESE Comments on Incident
The Verge has noted in its report that it has reached out to the Missouri DESE for comment. However, the Missouri DESE did not have much to say due to the ongoing investigation.
The Missouri DESE only said that the data in question is now already protected.
Written by Isabella James