Due to the problem of the Israeli Likud party’s application, which is part of Israeli Prime Minister Benjamin Netanyahu, 6.5 million people could have been leaked.
Problem discovered Verizon Media developer Ran Bar-Zik. It is unclear whether anyone managed to discover the gap before Bar Zika, and whether user data was actually compromised. Be that as it may, local media, including Haaretz, Calcalist and Ynet already confirmed the findings of the researcher.
Bar-Zeke said he discovered a leak during an audit of the Elector application developed by Elector Software for the Israeli Likud political party, led by current Prime Minister Benjamin Netanyahu. The app was available on elector.co.il.
The researcher became interested in this development, as recently in the local media often raised issues related to privacy at Elector. For example, reporters found that the application allows users to subscribe other people to news via SMS without the consent of the latter.
Bar Zekh writes on his blog that the app’s site contained more information than needed. So, in the source code there was a link to the API endpoint, which was supposed to be used to authenticate resource administrators. Alas, the site developers left the endpoint open, without a password, that is, anyone could take advantage of their omission without any restrictions (two-factor authentication was also not provided).
Sending requests to this API to the endpoint returned information about the site administrators, including their clear-text passwords.
The researcher used these credentials and gained access to the backend of the site. There, Bar Zeke discovered a database containing personal data of 6,453,254 Israeli citizens with voting rights in the upcoming elections.
The local press claims that this database is a copy of the official Israeli database of registered voters, which every political party receives before the election in order to prepare upcoming campaigns. So, according to Haaretz, the database contains full names, phone numbers, ID numbers, home addresses, gender, age, and political preferences.
Currently, the Electoral application site has been deleted and has already disappeared even from the cache of search engines, including Google and Bing, to prevent possible abuse of the detected bug.