Netanyahu's party exposes data on over 6.4 million Israelis

The app's website exposed a link to an API endpoint that was left without a password, allowing third-parties to obtain passwords for admin accounts.
Written by Catalin Cimpanu, Contributor

A misconfiguration in an election day app developed by Likud, the party of Israeli prime minister Benjamin Netanyahu, may have potentially exposed and compromised the personal details of almost 6,5 million Israeli citizens.

The leak was discovered and detailed today by Ran Bar-Zik, an Israeli-born frontend developer for Verizon Media.

It is unclear if the exposed server and data was harvested by unauthorized parties before Bar-Zik's discovery and public disclosure. Local Israeli media like Haaretz, Calcalist, and Ynet confirmed Bar-Zik's findings.

How the leak was discovered

According to Bar-Zik, he discovered the leak while performing a security audit of Elector, an app developed by Elector Software for Likud, an Israeli political party led by the country's current prime minister Benjamin Netanyahu.

Bar-Zik said he looked into the app after local media surfaced several privacy-related issues about the app in recent weeks, such as problems with the app allowing users to register other users for SMS-delivered news without their consent.

According to local media, the Likud party ordered the app to allow political supporters to sign up for news and updates during the upcoming Israeli legislative election, to be held on March 2, next month.

The app was made available for download on the elector.co.il website.

Image: Ran Bar-Zik

In a blog post today, Bar-Zik said this website contained more information than it should.

The developer said the site's source code included a link to an API endpoint that was supposed to be used to authenticate the site's administrators.

Image: Ran Bar-Zik

Bar-Zik said the website's developers left this API endpoint exposed online without a password, allowing anyone to query it without restriction.

Sending queries to the API endpoint returned details about the site's administrators, including cleartext passwords.

Image: Ran Bar-Zik

Bar-Zik said that he used credentials returned by the API to gain access to the site's backend.

Image: Ran Bar-Zik

What the database contained

This backend appeared to provide access to a database that contained the personal details of 6,453,254 Israeli citizens, eligible to vote in the upcoming election, Bar-Zik said.

Local media claimed the database was an official copy of Israel's voter registration database, which each political party receives before an election so they could prepare upcoming campaigns.

According to Haaretz, for each entry in this database, there was information like a full name, phone number, ID card numbers, home addresses, gender, age, and political preferences.

At the time of writing, the Electoral app's official website has been taken down and removed from the cache of search engine like Google and Bing, to prevent further access to the site's source code and admin API endpoint.

In his blog post, Bar-Zik said the app's developers failed because they left an API endpoint exposed without a password and then failed again when they didn't secure admin accounts with a two-factor authentication mechanism.

Last year, ZDNet reported about similar leaks that exposed the voter databases of entire countries, namely Chile and Ecuador.

However, this one is much worse, largely due to Israel's position in the Middle East and its tensed relations with neighboring Arab countries.

Editorial standards