The St. Louis Post-Dispatch reporter who notified Missouri officials of a website flaw that exposed public-school teachers’ Social Security numbers told the state he would hold back on publishing his discovery for up to 48 hours and provided the state with details about how he found the flaw, records obtained by StateScoop show. In doing so, he followed the widely accepted steps in disclosing a vulnerability, according to a person who wrote the international standards for vulnerability disclosure.
On the morning of Oct. 12, the reporter, Josh Renaud, emailed the Missouri Department of Elementary and Secondary Education, to notify officials of the vulnerability in a search tool for educators’ professional credentials, which could access records for about 100,000 individuals. Renaud sent the message to DESE a day after verifying his findings with Shaji Khan, a computer-science professor at the University of Missouri—St. Louis.
“I recently discovered a significant exposure of the sensitive data of more than 100,000 teachers on a DESE website,” Renaud wrote to the agency’s communications chief, Mallory McGowin. “At this point I am confident what I found is a genuine vulnerability — I have confirmed with three teachers from different districts that their data was exposed. I also have consulted an UMSL cybersecurity researcher who verified my findings. The P-D plans to publish a story about this sensitive data exposure, but we wanted to inform DESE first so that you would have a chance to mitigate the problem.”
Renaud shared his timeline for publishing the story and asked for interviews with officials from DESE and the Missouri Office of Administration’s Information Technology Services Division. In a second email sent about 45 minutes later, he described the steps he’d taken in finding and confirming the vulnerability.
Missouri officials fixed the teacher lookup site, which had been revealing personal information in its HTML, and the Post-Dispatch later published its story. But rather than thank Renaud, Gov. Mike Parson responded Oct. 14 with accusations that the Post-Dispatch had “hacked” the state government as part of a perceived “political vendetta” against his administration. He also ordered law enforcement to investigate the paper, a process he’s claimed could cost up to $50 million.
Governor’s attacks amplify
While Missouri officials redacted most of Renaud’s second email, Katie Moussouris, the CEO of Luta Security, told StateScoop it appears he took all the right steps in disclosing a vulnerability.
“Nothing in what you’ve shared with me looks like it was out of line with sensible coordinated vulnerability disclosure activities of any researcher trying to protect victims of sensitive data exposure,” said Moussouris, a co-author of the international standards for vulnerability disclosures.
While the 48-hour hold on his story Renaud gave Missouri officials was “uncommon” — many formal CVD policies wait 30 days or longer before going public — Moussouris said it was justified “given the amount of data potentially exposed.” She also said that while professional researchers generally only share their findings with the affected parties before public disclosure, Renaud consulting Khan was appropriate considering newspaper reporters don’t research vulnerabilities on a regular basis.
In the days since his initial accusation, Parson has amplified his threats against the Post-Dispatch, its staff and Khan. Last week, a fundraising committee tied to the governor launched an ad campaign accusing the paper — rather than a flawed website — of exposing teachers’ information. “Exploiting private information is a squalid excuse for journalism. And hiding behind the noble principle of free speech to do it shameful,” the minute-long video says.
The Post-Dispatch declined to make Renaud or his editors available, citing the Missouri State Highway Patrol’s investigation, but in an emailed statement, continued to stick by its reporting.
“We believe no basis exists to justify any investigation,” the statement read. “We stand by our earlier statements and comments by cybersecurity experts that the newspaper and its reporter acted properly in this matter.”
From helper to villain
Khan, the professor Renaud consulted, is demanding a public apology from Parson, as well as remuneration for the legal expenses he’s incurred over the past few weeks. In a letter demanding the state preserve records related to the vulnerability disclosure — signaling a potential lawsuit — Khan’s lawyer described how the DESE website’s vulnerability was confirmed, and how the flaw could be discovered by any person who knows how to access the standard web-browser function of displaying a page’s HTML code.
“The entire process could be completed by anyone in matter of just a few minutes,” the lawyer, Elad Gross, wrote. “None of the data was encrypted, no passwords were required, and no steps were taken by the State of Missouri to protect the Social Security numbers of its teachers that the State automatically sent to every website visitor.”
The letter accuses state officials attempting to defame Khan and violate his right to free speech, and demands an immediate end to any investigation. Gross also wrote that in 2016, Khan worked with the Missouri secretary of state’s office to find and patch flaws in voter- and small-business-registration websites.
“Five years later, Professor Khan is now sadly the target of his government despite the service he has provided to Missouri’s teachers,” the letter reads.
‘Far more dangerous than a news article’
Moussouris agreed that Missouri officials should be grateful for the Post-Dispatch’s efforts, rather than vindictive.
“State officials’ best response would have been to take down the site, thank the reporter and immediately begin its own investigation into the data exposure, not to kill the messenger with threats of legal action,” she said. “If this reporter hadn’t come forward, that data would still be exposed and trivially harvested by criminals.”
She also suggested that other Missouri government agencies are much less likely to hear from ethical hackers in the future, to the detriment of the state’s population.
“The damage they have done with their response wills care most researchers away from ever warning them of serious flaws again,” Moussouris said. “That’s far more dangerous than having a news article written and isn’t in the best interest of their citizens.”