A defect in an election day app developed by the party of Israeli prime minister Benjamin Netanyahu, Likud have potentially exposed the personal details of more than 6.4 million Israeli citizens.
Ran Bar-Zik, an Israeli-born frontend developer for Verizon Media had discovered and detailed about the leak. It is not known whether the exposed server and data was already collected by unauthorized parties before the discovery of the leak.
Local Israeli medias Haaretz, Calcalist, and Ynet confirmed Bar-Zik’s findings.
According to Bar-Zik, the leak was found when he was conducting a security audit of Elector, an app developed by Elector Software for Likud.
He checked the app when local media came up with numerous privacy-related issues about the app like problems with the app allowing users to register other users for SMS-delivered news without their permission.
According to local media, the Likud party made the app for their political supporters to sign up for news and updates during the upcoming Israeli legislative election which is to be held on March 2.
The app was available for download on the elector.co.il website.
The developer stated that the site’s source code had a link to an API endpoint that was meant to be used for authenticating the site’s administrators.
Bar-Zik said the website’s developers left this API endpoint exposed online without a password, permitting anyone to query it without restriction.
When a query is sent to the API endpoint, details about the site’s administrators, including cleartext passwords will be received.
Bar-Zik used credentials returned by the API to get access to the site’s backend.
This backend provided access to a database that had the personal details of 6,453,254 Israeli citizens, who are eligible to vote in the upcoming election.
Local media stated that the database was an official copy of Israel’s voter registration database, which every political party receives before an election so they could prepare for the upcoming campaigns.
For every entry in this database, there was information like a full name, phone number, ID card numbers, home addresses, gender, age, and political preferences.
The Electoral app’s official website was taken down and removed from the cache of search engine to prevent further access to the site’s source code and admin API endpoint.
This issue cannot be considered lightly, due to Israel’s position in the Middle East and its tensed relations with neighboring Arab countries.