Pulpit and two microphones with US state flag on background - Missouri

Journalist won’t be indicted for hacking for viewing a state website’s HTML

A journalist incorrectly branded as a “hacker” by the governor of Missouri won’t be prosecuted “for hacking”.

This was a quick and foreseen win for St. Louis Post-Dispatch reporter Josh Renaud after a prosecutor from Cole County dismissed Missouri Governor Mike Parson’s criminal charges against him for allegedly hacking a government website by viewing its public HTML code— something anyone can do by simply pressing the F12 button.

Perhaps due to the absurd allegation, Internet users following the cause couldn’t help but rename this as “the F12 case”.

Locke Thompson, a Cole County Prosecutor, released a statementon Friday last week, which includes:

“There is an argument to be made that there was a violation of law. However, upon a review of the case file, the issues at the heart of the investigation have been resolved through non-legal means, As such, it is not in the best interest of Cole County citizens to utilize the significant resources and taxpayer dollars that would be necessary to pursue misdemeanor criminal charges in this case. The investigation is now closed, and the Cole County Prosecutor’s Office will have no further comment on the matter.”

How it all began

In October 2021, St. Louis Post-Dispatch pushed out Renaud’s storyabout a flaw on a website maintained by the Missouri Department of Elementary and Secondary Education (DESE)which exposed Social Security numbers (SSNs) of administrators, counselors, and school teachers across the state, putting more than 100,000 educators at risk.

According to Renaud’s article, the teacher’s SSNs were contained in the site’s HTML source code. This is easily accessed by simply pressing the F12 function key and opening the Developer’s Console on the right-hand side of the webpage. When consulted, Shaji Khan, a cybersecurity professor at the University of Missouri-St. Louis confirmed Renaud’s findings, calling it “a serious flaw.”

“We have known about this type of flaw for at least 10-12 years, if not more,” Khan was quoted in an email, “The fact that this type of vulnerability is still present in the DESE web application is mind-boggling!”

The department was supposed to discuss Renaud’s findings, but things took a quick turn for the worse. On Wednesday evening, the department sent out a letter to teachers and posted a press release on its website, minimizing the flaw’s impact and blaming Renaud—and by association, the Post-Dispatch—for taking records of educators from their site.

Education Commissioner Margie Vandeven said in a letter to teachersthat “an individual took the records of at least three educators, unencrypted the source code from the webpage, and viewed the social security number (SSN) of those specific educators.”

An echo of this sentiment was reflected in the press release, further stating that the person (Renaud) responsible for discovering the flaw was a “hacker” and “took the records of at least three educators.”

In reality, according to the Post-Dispatch, Renaud had discovered the flaw and confirmed that the nine-digit numbers he’d seen on the webpage’s code were indeed SSNs. The paper had also told DESE that it confirmed the flaw with three educators and Professor Khan. Post-Dispatch further noted that these SSNs were available and searchable by anyone through DESE’s educator certification search tool on its website.

Although the SSNs in the HTML were encoded and not in plain text, they were not encrypted, said Khan in a separate Post-Dispatch article. Encrypted data would require a unique decryption key to view the actual data. On the other hand, encoded data only means that the data is in a different format.

“Anybody who knows anything about development—and the bad guys are way ahead—can easily decode that data,” Khan said. That wasn’t even the issue though. The bigger problem, according to Khan, was the presence of sensitive data accessible by anyone with a browser.

DESE has made teacher information accessible to local school districts when verifying a teacher’s certification. As SSNs are part of the information pool, it would be easy to identify an educator using the last four digits of their SSN. After Renaud reported the flaw to DESE, this search tool has been removed.

Joseph Martineau, a Lewis Rice attorney representing Post-Dispatch, issued the following response to DESE’s press release:

“The reporter did the responsible thing by reporting his findings to DESE so that the state could act to prevent disclosure and misuse. A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent.

For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded. Thankfully, these failures were discovered.”

It should also be noted Post-Dispatch held off publishing Renaud’s article to give DESE enough time to address the flaw in its site.

The state of Missouri also targeted Professor Khan in their investigations, but this was halted after Khan sent a litigation hold and demand letterto Parson and some state agencies.

Relief for Renaud

Josh Renaud issued a statementexpressing relief and remorse for the damage done to him and his family. He described the entire ordeal as “a political prosecution of a journalist.”

“Despite this, I am proud that my reporting exposed a critical issue, and that it caused the state to take steps to better safeguard teachers’ private data. At the same time, I am concerned that the governor’s actions have left the state more vulnerable to future bad actors. His high-profile threats of legal retribution against me and the Post-Dispatch likely will have a chilling effect, deterring people from reporting security or privacy flaws in Missouri, and decreasing the chance those flaws get fixed.”

Gov. Parson could have responded to Renaud’s reporting differently, and hacker Rachel Tobaccouldn’t have encapsulated this more perfectly: