If you find and report a security flaw to a company, you’re normally thanked; sometimes you can even receive a reward. However, the governor of Missouri is taking the opposite approach and threatening to prosecute a journalist for finding a serious vulnerability in the state’s website.
This week, the St. Louis Post-Dispatch reported that the website for the state’s Department of Elementary and Secondary Education was potentially exposing over 100,000 teachers’ Social Security numbers.
Reportedly, the Social Security numbers were viewable via the plaintext HTML computer code in the site’s web pages. This means anyone could find the sensitive personal information simply by right-clicking within a browser, and hitting “View Page Source” on the applicable web page.
The Post-Dispatch reported the flaw to state authorities so they could patch the website immediately. The newspaper even delayed publishing a story about the problem to give the state enough time to protect the personal data at stake. But rather than thank the newspaper, Missouri’s Republican Governor Mike Parson described the journalist who uncovered the vulnerability as a hacker.
“A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did,” he said in a press conference on Thursday.
“This individual is not a victim,” he added. “They were acting against a state agency to compromise teacher’s personal information in an attempt to embarrass the state and sell headlines to their news outlet.”
Parson went on to allege the journalist had to “convert and decode” the website’s computer code to access the Social Security numbers. However, the governor’s response is causing the IT industry to collectively roll their eyes since looking at a website’s HTML code can also be done by pressing the F12 key on the Chrome browser.
US Senator Ron Wyden even chimed in. “Journalism isn’t a crime. Cybersecurity research isn’t either. Real leaders don’t unleash their attack dogs on the press when they expose government failures, they roll up their sleeves and fix the problem,” he wrote in a tweet.
In the meantime, the St. Louis Post-Dispatch is dismissing Parson’s threat as completely unfounded. “The reporter did the responsible thing by reporting his findings to DESE so that the state could act to prevent disclosure and misuse,” the newspaper’s attorney Joseph Martineau wrote in a statement to Post-Dispatch. “A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent.”
According to Gov. Parson, the state may need to spend up to $50 million to fix the flaw.