The cybersecurity professor who helped uncover the Missouri government’s failure to protect teachers’ Social Security numbers has demanded that the state cease its investigation into him and stop making “baseless accusations” that he committed a crime.
As we reported on October 14, Missouri Gov. Mike Parson threatened to prosecute and seek civil damages from a St. Louis Post-Dispatch journalist who identified a security flaw that exposed the Social Security numbers of teachers and other school employees. The state is also investigating Shaji Khan, a cybersecurity professor at the University of Missouri-St. Louis who helped the Post-Dispatch journalist verify the security vulnerability.
This is all happening despite the fact that the state government made teachers’ Social Security numbers available in an unencrypted form in the HTML source code of a publicly accessible website. The governor’s strategy of blaming those who discovered the flaw earned him widespread mockery on social media from people who are familiar with the standard “view source” function present in major web browsers.
Khan hired an attorney to defend himself against the state’s accusations. On Thursday last week, Khan’s attorney sent a litigation hold and demand letter to Parson and several state agencies. The letter says that Parson and other state officials defamed Khan and violated his First Amendment “right to speak freely without the threat of government retaliation.” The letter adds that the state’s investigation into Khan “would violate the prohibition on malicious prosecution.”
“Professor Khan is likely to prevail on the merits of any case brought against him,” the letter said. “No statute in Missouri or on the federal level prohibits members of the general public from viewing publicly available websites or viewing the website’s unencrypted source code. No reasonable person would think they were unauthorized to view a publicly available website, its unencrypted source code, or any of the unencrypted translations of that source code. There is no probable cause to investigate Professor Khan, and instigation or continuation of any proceeding against him would therefore be prohibited.”
SSNs sent “to every visitor to the website”
The letter notes that Post-Dispatch reporter Josh Renaud asked Khan to verify the security flaw in a Missouri government website that allowed the public to search teacher certifications and credentials. “Professor Khan agreed to verify whether the security flaw existed only if Mr. Renaud agreed not to publish any story until the State of Missouri had an opportunity to protect teachers’ sensitive information if a flaw was in fact present. Mr. Renaud agreed,” the letter said.
The security flaw was easy to confirm, the letter says:
The public website permitted visitors to look up the credentials of Missouri teachers. Users could look up teachers by school assignments or by their last names and last four digits of their Social Security numbers. However, due to a major security flaw present in its design, the website was programmed to send the full Social Security number of Missouri teachers to every visitor to the website, whether the visitor was aware or not. That information was also programmed to be automatically stored in the visitors’ web browsers…
On October 11-12, 2021, Professor Khan verified the security flaw. He did so by:
- Visiting the public website, which was accessible by anyone and did not require a login;
- Looking at the publicly available source code, which can be easily done by anyone on any webpage under the “View” menu option;
- Identifying a suspicious piece of the source code referred to as “View State” that can contain security flaws like the one found here; and
- Translating the source code into plain text, which can also be done by anyone.
This entire process could be completed by anyone in a matter of just a few minutes. None of the data was encrypted, no passwords were required, and no steps were taken by the State of Missouri to protect the Social Security numbers of its teachers that the State automatically sent to every website visitor.
The website is still “down for maintenance.”
Khan: The only crimes were committed by the state
Khan’s letter calls for an investigation into the state government, saying the government violated a Missouri law that prohibits state entities from publicly disclosing Social Security numbers. The state also violated a state law requiring government officials to provide accurate information to victims of data breaches, the letter said:
Here, the State of Missouri and its officials improperly published Social Security numbers of approximately 100,000 teachers online. Instead of informing teachers of the nature of their failure, Missouri officials chose to minimize the security flaw created by the State and publicly blame the individuals who responsibly reported the problem to the proper authorities. The government has a responsibility to follow the law and provide accurate information to the teachers it failed. It did not and still has not, and the government has therefore violated the law.
On October 13, the Missouri Office of Administration issued a press release claiming that a “hacker” accessed the Social Security numbers of teachers. This characterization is “false,” Khan’s letter said. “The State of Missouri automatically transmitted teacher Social Security numbers to every website visitor. No one who discovered and reported this security flaw attempted to gain unauthorized access to or ‘hack’ the website.”