Missouri Refers Coordinated Bug Disclosure to ProsecutorsGov. Michael L. Parson Alleges Newspaper Reporter Improperly Accessed Data
A newspaper reporter in Missouri who responsibly reported the exposure of Social Security numbers on a state government website has been accused of malicious hacking by the state's governor.
Gov. Michael L. Parson tweeted that the person, who works for the St. Louis Post-Dispatch, gained access to the data by decoding the HTML source code through a web browser. Parson's tweet thread drew widespread derision for its technical awkwardness and mischaracterizations.
Through a multi-step process, an individual took the records of at least three educators, decoded the HTML source code, and viewed the SSN of those specific educators.
We notified the Cole County prosecutor and the Highway Patrol's Digital Forensic Unit will investigate. pic.twitter.com/2hkZNI1wXE— Governor Mike Parson (@GovParsonMO) October 14, 2021
Parson says the reporter viewed the Social Security numbers of three employees for the state's Department of Elementary and Secondary Education, known as DESE.
"This matter is a serious matter," Parson said at a news conference on Thursday. "This individual did not have permission to do what they did. They had no authorization to convert or decode. So this was clearly a hack."
However, the St. Louis Post-Dispatch has a clearer accounting. The paper says in its own report that it discovered a vulnerability in a web application on DESE's website and that the sensitive data was in plain view. It is rejecting accusations that its employee violated the law.
Embedded in HTML Code
The web application, which was launched in 2011, allows local education agencies to verify a teacher's certifications and credentials, Missouri's Office of Administration Information Technology Services Division, or OA-ITSD, said on Wednesday. The agency says it performed a number of vulnerability scans for the web application but never discovered problems.
The web application allows people conducting a search to use the last four digits of a teacher's Social Security number in order to deconflict people that may have the same name, the agency says.
"In the process of verifying an educator's information, the last four digits of an educator's SSN can be used in the certification search tool as a piece of unique information to identify the appropriate educator," the agency says. "If educators have the same name, for example, LEAs can use the last four digits of the educator's SSN to be sure the LEA is viewing the correct information for the appropriate educator."
That functionality may be near the source of the problem. The Post-Dispatch discovered that the web application inadvertently exposed the full Social Security numbers for up to 100,000 teachers, administrators and counsellors.
The Social Security numbers weren't visible on DESE's website, but rather embedded within the HMTL, which was visible by using the "view source code" function in a web browser.
The Post-Dispatch writes that it confirmed the nine-digit numbers were indeed Social Security numbers and the overall vulnerability with a cybersecurity expert. The paper informed DESE on Tuesday and withheld publishing the details until the department fixed the problem.
In a press release on Wednesday, Missouri's Office of Administration Information Technology Services Division says it "has performed intense testing of all public facing web applications across all state agencies, and has not identified any other vulnerabilities. As an additional measure of precaution, third-party penetration testers were engaged to look for this specific vulnerability on state of Missouri websites."
The exact vulnerability isn't specified in the Post-Dispatch's report. But it's possible that a misconfiguration led to data being inserted into the HTML that wasn't intended to become public, says Troy Hunt, a data breach expert who founded the Have I Been Pwned data breach notification site.
"It's quite possible that all attributes of the people were returned from the database to the web server and rendered into the markup, even those that weren't meant to be publicly viewable such as the SSNs," Hunt says.
Hunt says it's unlikely that any charges related to unauthorized access would stick since the person followed best disclosure practices.
"This was responsible disclosure, and the flaw was fixed before it was disclosed," Hunt says. "It almost sounds like someone has egg on their face and they want to proverbially kick the dog."
In a statement, DESE says "the state is unaware of any misuse of individual information or even whether information was accessed inappropriately outside of this isolated incident."
Damage Claim: $50 Million
In a Thursday press conference, the governor claimed the incident could cost Missouri taxpayers as much as $50 million and divert resources from other state agencies. Parson says his office has contacted the Cole County prosecutor as well as the Missouri State Highway Patrol's digital forensics unit.
Parson also alleged that the newspaper's reporting of the incident was intended to embarrass the state and is part of a "political vendetta."
"They were acting against the state agency to compromise teachers personal information in an attempt to embarrass the state and sell headlines for the news outlet," Parson said.
But the Post-Dispatch's attorney, Joseph Martineau, has defended the paper's handling of the situation.
"The reporter did the responsible thing by reporting his findings to DESE so that the state could act to prevent disclosure and misuse," Martineau says. "A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent. For DESE to deflect its failures by referring this as 'hacking' is unfounded. Thankfully, these failures were discovered."