“View Source” is not a crime – St Louis paper reveals security flaw

“View Source” is not a crime – St Louis paper reveals security flaw

On Tuesday, the St. Louis Post-Dispatch published an article showing that a huge security flaw existed on the State of Missouri’s Department of Elementary and Secondary Education website. By choosing the View Source option available in any computer web browser, anyone could see the Social Security Number of teachers in the feature to search credentials and teacher certifications.

The newspaper notified DESE about the issue and waited to publish the article until it had been resolved – a good form of responsible disclosure, or letting a vulnerable party know there’s a security issue and giving them a reasonable time to fix it before alerting the public.

According to the Post-Dispatch “more than 100,000 numbers were vulnerable.”

The View Source feature shows the HTML code that your web browser renders as text and images. Content can be hidden from view to be displayed later – like a popup that shows up after you click a button – but it’s still there in the HTML code that your browser receives. Alternatively, developers can insert comments into the source that the browser doesn’t render, but is there for those looking at the code to help understand it.

HTML source isn’t hidden, obscured or private in any way. It should never contain secrets like passwords or social security numbers – that’s just bad security.

You can try View Source on this very article:

  • Firefox: Tools > Browser Tools > Page Source
  • Chrome: View > Developer > View Source
  • Safari: Develop > Show Page Source
  • Edge: Tools > Developer > View Source

You haven’t hacked anything by doing that, but Missouri Governor Mike Parson thinks you have. Parson threatened the Post-Dispatch on Thursday with potential criminal charges against the paper, instructing the Cole County prosecutor and the Missouri State Highway Patrol to begin an investigation.

The Post-Dispatch, its reporters and its researchers have done nothing wrong here. The real crime here is that the Social Security numbers of more than 100,000 teachers were available online for anyone to see.