Apparently, viewing a website’s page source is hacking. At least that’s what Missouri Gov. Mike Parson claims Josh Renaud was doing when he discovered a vulnerability on a state website that exposed sensitive information.
Anyone with access to the Internet, and a working computer, could easily view the Social Security Numbers of about 100,000 teachers. However, Missouri Gov. Mike Parson is branding the responsible journalist who discovered the same, a hacker with malicious intent.
Missouri Department of Education website exposed teachers’ Social Security Numbers by viewing page source:
St. Louis Post-Dispatch journalist Josh Renaud had quietly discovered that the website for the state’s Department of Elementary and Secondary Education (DESE) was exposing over 100,000 teachers’ Social Security numbers.
He became aware of the data exposure after viewing the HTML source code of the site’s web pages. It is important to note that anyone with an internet connection could find this sensitive information by right-clicking the page and hitting “View Page Source.” In several popular web browsers, this is as simple as visiting the website and hitting F12 on the keyboard.
Hitting F12 in a browser is not hacking. If your code leaks personal data via public development tools that any person can see by simply pressing F12 on a keyboard then you have a huge data leak issue, not a hacking situation, on your hands. Fix your website. https://t.co/sRONBxw4Vg
— Rachel Tobac (@RachelTobac) October 14, 2021
The Post-Dispatch reported the vulnerability to state authorities. They even delayed publishing a story so that relevant departments could patch the website.
As a result of the actions of Josh Renaud, the DESE confirmed that the “educator certification search tool was disabled immediately”. Simply put, the state machinery worked and patched the data vulnerability.
.@RSF_inter condemns @GovParsonMO's vow to prosecute @stltoday reporter Josh @Kirkman Renaud, who recently exposed sensitive data on a state website and reported it to government authorities. Read more: https://t.co/Zl0Q2TrfcC.
— RSF in English (@RSF_en) October 15, 2021
St. Louis Post-Dispatch then published the story on the incident, knowing well the Social Security Numbers weren’t easily accessible anymore. Instead of receiving a commendation, Missouri’s Republican Governor Mike Parson branded Josh Renaud as a “hacker”.
Missouri Governor brands journalist as ‘hacker’ who wanted to ‘embarrass the state’:
Speaking about the security lapse, and more specifically, about Renaud, Missouri’s Republican Governor Mike Parson, said:
“The newspaper uncovered the flaw in an attempt to embarrass the state. A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did.”
I will do a fundraiser for the legal fees of the reporter to sue @GovParsonMO if he doesn’t apologize to Josh Renaud, the Post-Dispatch and Missouri’s teachers.
— Fred Wellman (@FPWellman) October 15, 2021
The Governor is now contemplating legal actions for responsibly reporting the data vulnerability:
“This individual is not a victim. They were acting against a state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines to their news outlets. The state is committed to bringing to justice anyone who hacked our system and anyone who aided and abetted them to do so.”
The governor has reportedly referred the case to county prosecutors. Needless to mention, social media users aren’t pleased. Even the governor’s own party members expressed their displeasure:
It's clear the Governor's office has a fundamental misunderstanding of both web technology and industry standard procedures for reporting security vulnerabilities.
— Rep. Tony Lovasco (MO-64) (@tonylovasco) October 14, 2021
Several legal experts have indicated that the journalist is highly unlikely to stand trial. After all, the U.S. Supreme Court has specifically ruled that a person violates the law only when they access files or other information that they would otherwise be unable to.
Still, if the state of Missouri proceeds with legal action, it could set a poor precedent. Journalists and whistleblowers are already at risk of legal action and attacks for discovering and reporting security issues and privacy vulnerabilities.