Viewing HTML is not a crime

To the latest version of Chrome 98

added function

, with the help of which the local network administrator can block the viewing of HTML-code of pages in the browser.

This is done primarily for educational institutions where students in this way bypass blocking and filters… However, security professionals and developers express concern, which thus creates an unpleasant precedent. After all, HTML was originally created as a completely open standard. It was never supposed to be hidden from prying eyes.

All this takes place against the backdrop of a story with an American web developer and journalist who found confidential data. right in the HTML code on the Missouri government website – and wrote about this disgrace… Now he faces a prison term for hacking.

If anyone hasn’t heard of that story, in October 2021, journalist and web developer Josh Renaud posted
article in the local newspaper St. Louis Post-Dispatch describing a vulnerability in the code of a web application on the Missouri Department of Elementary and Secondary Education website.


Site Missouri Department of Elementary and Secondary Education

The vulnerability gave out social security numbers of school teachers, administrators and other personnel (more than 100,000 people in total). The site had a search function that allowed anyone to view information about Missouri teachers without authorization. You could enter your last name or the last four digits of your Social Security number as a search. But due to a software error, the server wrote full SSN numbers in the HTML-code of the pages – and sent it to the client.

The specific bug in the CMS is not named, but it is said that it has been known for over 12 years.

Before publishing the information, the newspaper gave the school department time to fix the vulnerability, and then published the information. In response, the school department accused the journalist and newspaper of disclosing confidential data. V official press release states that “the hacker took the records of at least three educators, decoded the HTML source code, and looked at the social security number (SSN) of those particular educators.”

In reality, the newspaper found nine-digit numbers in the HTML code, in plain text – and checked with third-party databases that these numbers are indeed SSN numbers of three current employees. Consultation and assistance in verification was provided by Shaji Khan, professor of information security at the University of Missouri-St.Louis.

Then the situation began to escalate. The teachers were unexpectedly supported by Governor Michael Parson, who instructed the police department open a criminal case and investigate “this is a crime against teachers in our state of Missouri.” The journalist allegedly hacked into the website of the Department of Education and disclosed private data. The authorities also launched an investigation into Professor Khan’s actions, and a police patrol came to his home for questioning.

Information security specialists in one voice they saythat viewing open source HTML is not a crime. But the professor has already hired a lawyer for a possible defense in court, because it is not known how this story will end …

As for the new Chrome feature, it is about “fixing a bug” in the system.

URLBlocklist

… These are lists of allowed or denied URLs that are written in corporate policies.

Chrome Enterprise

and work for Chrome browsers and devices running the ChromeOS operating system (such cheap laptops are often installed in schools).

Students bypass the blocking by copying the page’s HTML code from the Google search results into an online editor. In the video that showed to Chrome developers a teacher from an Illinois school, the external site opens inside a third-party editor htmledit.squarefree.comwhere the source code of the page with Google search results is loaded.

In addition to launching extraneous games, schoolchildren allegedly use viewing HTML code for cheating in order to find out the correct answers during the exam if the system is not designed correctly.

Of course, the update will not allow the sites themselves to hide their code. But there are fears that everything is heading towards this.

HTML is the basic language for web development. An integral property of the web is transparency. By default, pages, all static pages on the server are publicly available and open for viewing. This is the point publicly available information. This was originally conceived by the developers of the WWW.

However, some site owners think they own the HTML code – and they can prevent other people from looking at it. In principle, the logic is clear. But in this case, you need to execute the code on the server – and send only the result to the browser. And if the code is sent to the user’s browser, saved on his computer (in the cache) and indexed by search engines, then it’s somehow strange to threaten with criminal prosecution for viewing this information.

Similar Posts

Leave a Reply