They say no good deed goes unpunished and this is a story that illustrates it. According to Missouri Gov. Mike Parson, a St. Louis Post Dispatch reporter who accidentally came across HTML source code for a Missouri Department of Elementary and Secondary Education website is now looking at charges of computer-tampering, reported Union Bulletin (may be inaccessible outside the United States).
It all started when the reporter took a look at the ‘view source’ menu item which allows you to see HTML code of the webpage & discovered that source code contained the social security numbers of educators. Being a diligent & respectful citizen, he then proceeded to inform the state of the dangerous glitch.
Once private numbers were removed from web page, Post Dispatch wrote a report on the incident. This led Governor Parson to announce a criminal investigation into the reporter & Post Dispatch.
“If someone chooses your lock on your home – for some reason, it’s not a good lock, it’s a cheap block or any problem you can have – they do not have the right to go home & take something that belongs to you, “Parson said in a clearly very misleading statement.
The analogy here is not entirely correct as the reporter did not abuse the vulnerability & rather this is the reason the issue was fixed, he continued to handling it how security researcher probably would: with responsible disclosure. The news outlet referred to an FBI agent who said the incident “is not a actual network intrusion.”
Instead, the state database was “misconfigured”, which “allowed the use of open source tools to query data that should not be public.” This sentiment was echoed by Post Dispatch President & publisher Ian Caso, who explicitly said that there had been no network intrusion occurred and that outlet reporter should have been thanked for discovery rather than treated as nefarious hacker.