Posted on February 10, 2020 at 11:53 AM
Reports have revealed that the ruling party of Israeli Prime minister Benjamin Netanyahu may have mistakenly leaked the personal information of about 5.5 million Israelites. According to the report, the leak may be a result of an Election Day app misconfiguration.
Verizon Media’s Israeli-born frontend developer, Ran Bar-Zik, discovered this leak, but it’s not clear whether the exposure was done by unauthorized persons before he discovered and exposed the leak. There is still ongoing investigation about the leak, and Bar-Zik is still looking into the details of the exposure to find out what really happened. Local media Ynet, Calcalist, and Haaretz have also reported Bar-zik’s findings.
Contents of the database
It appears that the backend is a gateway to a database that contains the details and personal information of more than 6 million Israeli citizens, who are completely eligible to participate in the forthcoming Israeli elections.
Local press said the exposed database is a copy of the voter registration database of Israeli voters, which is given to each political party to help them prepare for campaigns before the elections.
Bar-Zik stated that there are several important personal information from the database, which any hacker could use to do serious damage. The database contains information such as the full names of the Israeli, their political preference, age, gender, home address, ID card numbers, as well as phone numbers.
Presently, the official website of the electoral app is no longer available, and it has been taken out from the cache of major search engines such as Bing and Google. It has been removed to prevent any further access to the website’s API endpoint and source code.
Bar-Zik pointed out that he is not certain whether anyone had taken advantage of the leak to steal personal information of the voters who have their details in the database.
How the leak was discovered
Bar-Zik said he found out about the leak when he was carrying out a security audit on an Elector app, which is an app the Lukid election software developed.
Bar-Zik also said he started investigating the app when local media wrote about some privacy-related issues concerning the app in recent times. In the past few weeks, the press has been writing about the issue with the app to allow users to enroll other users for news delivered through SMM, by seeking the consent of the users.
Most of the local press reported that the Lukid party allowed the app to give easy access to political supporters to register for SMS-based news during the imminent Israeli legislative election, which is coming up next month.
Bar-Zik revealed in a blog post that eleccto.co.il, the website where users can download the app, has too much information which it shouldn’t be authorized to have. According to him, the level of information goes beyond something of general note, but some private data as well.
Bar-Zik also reported that the source code of the website contains a link to API endpoint which should be used for the authentication of the site’s administrators.
He further pointed out that the developers of the website exposed the API endpoint without protecting it with a password. This vulnerability gave anyone access to log into the system and got highly classified personal information without any sort of restriction.
When queries are sent to the API endpoint, they usually return information about the website’s administrators, which includes cleartext passwords.
In Bar-zik’s recent post, he said the developers of the app made huge mistakes twice. He said the developers made a huge error by allowing an API endpoint open and vulnerable without any sort of security for protection. He said they should have provided a strong password over the API endpoint instead of leaving it without any password.
The developers also failed again because they did not add a second security option to the database. They should have used two-factor authentication to secure the admin accounts. According to Bar-zik, these are two errors that should not be happening, considering a large number of exposed data at stake.
Last year, there was a reported exposure to the voter databases of some countries, including Ecuador and Chile. But this recent exposure is more significant because of the position of Israel in the Middle East.