Massive data leak of 6.5 Million Israeli voters’ personal data was exposed on a leak which included names, gender, addresses, and identity card numbers as well as phone numbers and other private information.
Every electoral party list in Israel was given a database containing every Israeli’s personal information for use in their campaign providing that they will not reproduce a copy and delete their copies once the election is done.
The Likud party, which is the Israeli political party led by Prime Minister Benjamin Netanyahu, utilizes the Elector Mobile App for their electoral campaign in order for them to interact and provide updates with the voters. However, the glitch started when the IT Company, Feed-B – who developed the said Application had a security lapse. The Elector Web page had the admin access exposed in the source code of the website.
Whoever visits the Elector Webpage without an in-depth technical knowledge can just right click on the website and choose ‘view page source’. The source code of the page contains a link for the ‘get-admins-users’ where hackers can just visit to be able to view the link for the Administrator page that has access to the entire voters’ database. Anyone who will access the said page will not only be able to view the database itself but also download the information contained within.
Ran Bar Zic, the developer who exposed the massive data leak, was surprised that their hack was so obvious, even a non-hacker can perform it – which would appear as an insult to people with extreme hacking skills.
According to Ran Bar Zic, he was able to identify four (4) programming failures on the said security leak:
First Failure – An API that works without a considerable level of authentication
Second failure – No 2-Sstep verification. Access to very sensitive data needs to have a strict login method.
Third failure – No rigorous logging system in terms of geographical location. The developer was able to access the website using a VPN that is connected to a third world country. Such site with sensitive information could have just been available to geographically.
Fourth failure – No protection from suspicious activities performed by site visitors. Ran Bar Zic reported that he only did bare minimum probing on the site to realize that he was working on actual data.
Feed-B downplayed the error and asserted that the vulnerability was a “one-off incident that was immediately dealt with” and that security methods have since been enhanced.
It’s still unclear if how many page visitors were able to view and download the voters’ database. The Elector webpage has been made unavailable after the security leak.
iZOOlogic, through their threat researchers, were able to identify and find a similar leaked database from the dark web on leaked voters’ database from various countries. Most of them were dumped for many reasons, including doxing and identity theft. It was sold for a small fortune in some dark internet forums. As a threat intelligence company, we alert different organizations on such activities to help them formulate an action plan to further protect their brand and user-base.