“We’re pretty shocked to hear about this,” said Byron Clemens, spokesman for the local chapter of the American Federation of Teachers, AFT St. Louis Local 420. He praised DESE for taking quick action to remove the affected website, but cautioned, “We don’t know if anybody’s been harmed yet.”
‘A serious flaw’
Though no private information was clearly visible nor searchable on any of the web pages, the newspaper found that teachers’ Social Security numbers were contained in the HTML source code of the pages involved.
The newspaper asked Shaji Khan, a cybersecurity professor at the University of Missouri-St. Louis, to confirm the findings. He called the vulnerability “a serious flaw.”
“We have known about this type of flaw for at least 10-12 years, if not more,” Khan wrote in an email. “The fact that this type of vulnerability is still present in the DESE web application is mind boggling!”
Khan urged the state to perform a thorough audit to ensure no other web applications contain similar vulnerabilities.
According to McGowin, such an audit had begun Tuesday and was still underway at noon Wednesday. She said that as far as she was aware, no other instances of the flaw had been identified.
“Unfortunately, these types of flaws and poor design choices are more common than we’d like,” Khan wrote. “Local and state governments across the country are often still using applications developed many years ago and potentially containing serious security flaws.”