Reports have revealed that the ruling party of Israeli
Prime minister Benjamin Netanyahu may have mistakenly leaked the personal information of
about 5.5 million Israelites. According to the report, the leak may be a result
of an Election Day app misconfiguration.
Verizon Media’s Israeli-born frontend developer, Ran
Bar-Zik, discovered this leak, but it’s not clear whether the exposure was done
by unauthorized persons before he discovered and exposed the leak. There is
still ongoing investigation about the leak, and Bar-Zik is still looking into
the details of the exposure to find out what really happened. Local media Ynet,
Calcalist, and Haaretz have also reported Bar-zik’s findings.
It appears that the backend is a gateway to a database that contains the details and personal information of more than 6 million Israeli citizens, who are completely eligible to participate in the forthcoming Israeli elections.
Local press said the exposed database is a copy of the
voter registration database of Israeli voters, which is given to each political
party to help them prepare for campaigns before the elections.
Bar-Zik stated that there are several important personal
information from the database, which any hacker could use to do serious damage.
The database contains information such as the full names of the Israeli, their
political preference, age, gender, home address, ID card numbers, as well as
phone numbers.
Presently, the official website of the electoral app is no longer available, and it has been taken out from the cache of major search engines such as Bing and Google . It has been removed to prevent any further access to the website’s API endpoint and source code.
Bar-Zik pointed out that he is not certain whether anyone
had taken advantage of the leak to steal personal information of the voters who
have their details in the database.
Bar-Zik said he found out about the leak when he was
carrying out a security audit on an Elector app, which is an app the Lukid
election software developed.
Bar-Zik also said he started investigating the app when local
media wrote about some privacy-related issues concerning the app in recent
times. In the past few weeks, the press has been writing about the issue with
the app to allow users to enroll other users for news delivered through SMM, by
seeking the consent of the users.
Most of the local press reported that the Lukid party allowed
the app to give easy access to political supporters to register for SMS-based
news during the imminent Israeli legislative election, which is coming up next
month.
Bar-Zik revealed in a blog post that eleccto.co.il, the
website where users can download the app, has too much information which it
shouldn’t be authorized to have. According to him, the level of information
goes beyond something of general note, but some private data as well.
Bar-Zik also reported that the source code of the website
contains a link to API endpoint which should be used for the authentication of
the site’s administrators.
He further pointed out that the developers of the website
exposed the API endpoint without protecting it with a password. This
vulnerability gave anyone access to log into the system and got highly
classified personal information without any sort of restriction.
When queries are sent to the API endpoint, they usually
return information about the website’s administrators, which includes cleartext
passwords.
In Bar-zik’s recent post, he said the developers of
the app made huge mistakes twice. He said the developers made a huge error by
allowing an API endpoint open and vulnerable without any sort of security for
protection. He said they should have provided a strong password over the API
endpoint instead of leaving it without any password.
The developers also failed again because they did not add a
second security option to the database. They should have used two-factor
authentication to secure the admin accounts. According to Bar-zik, these are
two errors that should not be happening, considering a large number of exposed
data at stake.
Last year, there was a reported exposure to the voter
databases of some countries, including Ecuador and Chile. But this recent
exposure is more significant because of the position of Israel in the Middle
East.
franklinscccom ccshoplv
Categories