“We’re pretty shocked to hear this,” said Byron Clemens, spokesperson for the American Federation of Teachers’ local, AFT St. Louis Local 420. He praised DESE for taking swift action to remove the concerned website, but cautioned, “We don’t know yet if anyone has been injured. “
“A serious flaw”
Although no private information was clearly visible or searchable on any of the web pages, the newspaper found that teachers’ social security numbers were contained in the HTML source code of the affected pages.
The newspaper asked Shaji Khan, professor of cybersecurity at the University of Missouri-St. Louis, to confirm the conclusions. He called the vulnerability a “serious flaw”.
“We’ve known about this type of flaw for at least 10 to 12 years, if not more,” Khan wrote in an email. “The fact that this type of vulnerability is still present in the DESE web application is mind-boggling! “
Khan urged the state to conduct a thorough audit to ensure that no other web application contains similar vulnerabilities.
According to McGowin, such an audit had started on Tuesday and was still underway at noon on Wednesday. She said that to her knowledge, no other cases of default had been identified.
“Unfortunately, these types of flaws and poor design choices are more common than we would like,” Khan wrote. “Local and state governments across the country still often use applications that were developed many years ago and potentially contain serious security vulnerabilities. “