[BreachExchange] Personal data of all 6.5 million Israeli voters exposed by security flaw in app

Destry Winant destry at riskbasedsecurity.com
Thu Feb 13 10:18:10 EST 2020


https://www.cnn.com/2020/02/11/tech/israel-voters-data-exposed-intl/index.html

Jerusalem (CNN)A security flaw in a mobile app used primarily by Prime
Minister Benjamin Netanyahu's Likud party exposed the personal data of
every eligible voter in Israel just three weeks before a national
election.

The flaw in the Elector app revealed the names, addresses and identity
card numbers for each one of Israel's 6,453,255 voters in such a
simple way that it didn't require any advanced knowledge of hacking to
access the critical information.

"It wasn't very technical," said software developer Ran Bar-Zik, who
exposed the flaw in the Haaretz newspaper on Sunday after it was
fixed."It's amazing. It's a very simple, very stupid hack. To call it
a hack is an insult to professional hackers." Before the flaw was
fixed, Bar-Zik said users could go to the Elector app's website and
view the source code, which revealed the logins of system
administrators, allowing anyone to access and download the voter
registry.

Israel heads for unprecedented third election in a year, as Netanyahu
clings to power
Bar-Zik was tipped off to the flaw by an anonymous source to his
podcast. "The anonymous source sent me my son's details, who is a
soldier in the army. And I was amazed. And when I see the magnitude of
the details -- more than six million people -- I was shocked it was so
easy," Bar-Zik told CNN.
.

It's unclear how many people downloaded the sensitive data, but the
information was available for at least 24 hours and possibly much
longer. Bar-Zik notified the developer of the flaw on Friday evening.
It was fixed by Saturday evening, Bar-Zik confirmed, but it may have
been available long before Bar-Zik knew about it.

"It could be a lot of days, a lot of months even," he said.

CNN reached out to the app's developer, Zuriel Yamin, for comment. The
development firm, Feed-b, tried to downplay the security flaw, telling
Haaretz the flaw was a "one-off incident that was immediately dealt
with" and that security measures had been improved.

The app's history shows that Elector has been available for at least
nine months. The app was last updated four days ago with improvements
to the speed of the homepage and additional security features. Beyond
Israel, the app has also been downloaded in countries like Moldova,
China, Russia, and the United States. The numbers of downloads are far
smaller abroad, but if the data is downloaded even once, it can be
shared easily, potentially exposing the private data of millions of
Israeli citizens. Even after the security flaw was fixed, those who
had already downloaded the data could still share it.

In a county that prides itself on its reputation as the "Start-Up
Nation," and a cyber security powerhouse, the security flaw is a
significant embarrassment.
The Privacy Protection Authority in the Ministry of Justice has opened
up an "oversight procedure" because of the security breach and is
working to prevent the leak from continuing. Voter registry data is
provided to all of the political parties before an election. The
responsibility to comply with privacy and election laws is "first and
foremost on the parties," the ministry said in a statement.

Israel's Netanyahu indicted in corruption cases, hours before Mideast
peace plan announced

Last week, Netanyahu urged his party's Likud supporters to download
the Elector app as a powerful tool to boost voter turnout on election
day, repeating "Elector!" as the app was shown on a big screen behind
him.

A statement from the Likud party pinned the blame on the developer.
"Elector is an external private provider that gives services to a
number of parties, and the professional and legal responsibility is on
[the developers]. From the moment it became clear that the company was
not meeting the encrypted standard of security, the Likud turned to a
leading information security company to do a thorough check of the
system."

Neither the Likud nor the developer are likely to face any serious
penalties for the security flaw, cautioned Tehilla Shwartz Altshuler,
who heads the Media Reform Program at the Israel Democracy Institute.
"The privacy authority doesn't really have enough enforcement tools,"
said Altshuler. "They can't really give fines and so on and so forth."


More information about the BreachExchange mailing list