Missouri professor who verified website security flaw wants Gov. Parson to apologize

·3 min read

A cybersecurity professor who verified the vulnerability that left the Social Security numbers of upwards of 100,000 teachers accessible on a Missouri website is demanding Gov. Mike Parson apologize after he threatened those who exposed the weakness with prosecution.

An attorney for University of Missouri-St. Louis Professor Shaji Khan sent a letter Thursday to Parson, the Missouri Department of Elementary and Secondary Education (DESE) and other agencies telling them to preserve records related to the episode — often a first step before a lawsuit.

The letter is the first indication that Parson may face a legal challenge over his response to a St. Louis Post-Dispatch story last week detailing how Social Security numbers had been left exposed on a DESE website. The day after publication, Parson called a news conference where he threatened the newspaper, its journalists and those who helped them with prosecution — and said law enforcement would investigate.

Khan had been approached by the newspaper and confirmed that the website contained a vulnerability that allowed the personal information of teachers to be accessed. He was quoted in the story calling it a “serious flaw.”

For that, Khan’s attorney said, the professor was defamed by state officials who violated his right to free speech because he now faces government retaliation.

“If the state proceeds with this baseless investigation against him, we will explore every avenue to address the wrongdoing in court,” Khan’s attorney, Elad Gross, wrote in the letter.

Parson’s office did not respond to a request for comment.

Gross, who ran for attorney general last year as a Democrat, called on Parson to hold another news conference and apologize to Khan. He also wants DESE and other state agencies to apologize, in addition to Uniting Missouri, a pro-Parson PAC that released a video on Wednesday attacking the Post-Dispatch over the story.

Gross noted that Khan had been previously thanked by Missouri for helping the Secretary of State’s Office address a security flaw in 2016.

Parson last week said the Missouri Highway Patrol was investigating and that he had notified the Cole County Prosecuting Attorney’s Office. In the letter, Gross indicated a Highway Patrol trooper approached Khan for an interview on Friday.

The interview will be conducted “in the next few days,” Gross said Thursday.

The Social Security numbers, the Post-Dispatch reported, had been exposed in the HTML source code of a state website, which anyone can access through a web browser with a few key strokes.

“No statute in Missouri or on the federal level prohibits members of the general public from viewing publicly available websites or viewing the website’s unencrypted source code. No reasonable person would think they were unauthorized to view a publicly available website, its unencrypted source code, or any of the unencrypted translations of that source code,” Gross wrote.

He added: “There is no probable cause to investigate Professor Khan, and instigation or continuation of any proceeding against him would therefore be prohibited.”

In the letter, Gross describes the actions Khan took to verify the flaw. It involved viewing the public webpage’s source code and “identifying a suspicious piece of the source code referred to as ‘View State.’ “ Such code “can contain security flaws like the one found here” and that “translating the source code into plain text...can also be done by anyone.”

Parson has said the data was “not freely available” and that the reporter “went a step further to convert and decode that data in order to obtain Missouri teachers’ personal information.”

But when asked to offer proof for the claim, his spokeswoman Kelli Jones has refused, citing the pending police investigation.

On Wednesday, in response to a public records request from The Star, DESE released the email the reporter sent the department to notify them of the data vulnerability. But the agency redacted the steps he said he had taken to discover the flaw.

The department cited state law that allows the closure of “records that identify the configuration of a computer system.”

Our goal is to create a safe and engaging place for users to connect over interests and passions. In order to improve our community experience, we are temporarily suspending article commenting