A web app for Missouri’s Department of Education exposed around 100,000 Social Security Numbers when a web user viewed source code on the web page. Reporters notified the state’s Department of Education to fix the issue before publishing a news story. In response, Missouri’s Governor issued stern statements about initiating investigations with prosecutors, drawing ridicule on Twitter as well as other social media platforms and websites.
While this story is comical, there are two important lessons to take note of. First is that organizations handling PII or any sensitive information should have a vulnerability reporting mechanism in place. This is often referred to as a vulnerability disclosure policy or VDP. Researchers, white hat hackers, academics and even journalists may intentionally or inadvertently uncover issues that warrant correcting before more nefarious actors discover them.
Second is that organizations need to audit and understand the level of information that is accessible via open or public web apps. In this particular instance, the web app supported a lookup system by entering the last 4 digits of an SSN, but stored the full SSNs in plain text. Something as simple as viewing source code, something many non-technical experts may do, exposed this full list.
For more information: