Application Security & Online Fraud , Critical Infrastructure Security , Governance & Risk Management
Coding Flaw Exposes Voter Details for 6.5 Million Israelis
Failure to Secure API Allowed Unauthenticated AccessIsrael’s entire voter registration database – comprising close to 6.5 million people – was exposed to the internet because of an elementary coding flaw in an election application, according to an Israeli developer.
See Also: OnDemand - XDR: Five Factors to Keep in Mind for Better Implementation
The error exposed full names, addresses, phone numbers, ID card numbers, genders and other personal information, writes Ran Bar-Zik, a front-end developer for Verizon Media who's also a technology writer for Israeli publisher Haaretz.
Bar-Zik, who was tipped off to the vulnerability by a source, also wrote a separate blog post describing the coding error.
The application, called Elector, is used by the Likud Party, which is headed by Israel Prime Minister Benjamin Netanyahu. The exposure comes at a particularly sensitive time - Israel is due to hold a national election on March 2.
It also comes shortly after a faulty app used by Iowa’s Democratic Party in the U.S. caused confusion and chaos, hampering the counting of delegates in the nation’s first 2020 presidential election caucus (see: The Iowa Caucus: No Hacking, But a Bungled Risk Matrix).
According to Bar-Zik’s story in Haaretz, the company that developed the application, Elector Software, says it was a “one-off incident that was immediately dealt with.” It’s unclear how long the exposure lasted and whether others also accessed the data.
The web application for Elector is now offline. The New York Times reports that Israel’s Privacy Protection Authority says it's looking into the situation and that political parties are responsible for complying with privacy law.
Simple as ‘View Source’
The Likud Party uses Elector for outreach and interacting with voters, including sending SMS messages to voters, Bar-Zik writes. As in many countries, political parties in Israel get access to the electoral roll, and Likud had uploaded the data it received from the Electoral Commission to Elector.
Bar-Zik describes how he accessed the data, which can only very generously be described as a hack.
Elector is a mobile app and a web application. On the web application, Bar-Zik selected “view source” in a browser, which reveals the website’s HTML code.
Embedded in the code was a file path labelled “get-admin-users.” He simply copied and pasted that back into the URL bar, and then suddenly saw a list of admins, including their usernames and passwords.
He plucked a set of credentials and then tried to login. It worked. “I was in the system with full access to everything,” Bar-Zik writes.
He quickly realized the data was real and reported the issue. “I keep laughing that I do ‘view source’ and get fame for ‘hacks,’” he writes.
No Authentication
Elector Software made several errors when designing the application, Bar-Zik writes.
First, there was no authentication for the sensitive API that allowed access to admin accounts nor two-step verification.
Bar-Zik writes that he also connected to the system using a VPN, which would have come from an IP address outside of Israel. Elector should ban access from IPs from outside of Israel, he suggests.
There is a certain irony in the data exposure. Bar-Zik points out a Feb. 5 story in Calcalist.co.il that explored the security implications and influence of applications used by Israeli political parties to reach voters.
The CEO of Elector Software, Tzur Yemin, told the publication that "it is important to me that the company should meet the high standards of privacy and information security. This is something that is very important to me. Personally, I am a citizen of Israel, and I would not want my details leaked.”