An Israeli researcher, Ran Bar-Zik has discovered a data leak that apparently came for an “election day” application that was developed by the political party “Likud”. Likud – National Liberal Movement, is the political party where the current, and four-time Prime Minister, Benjamin Netanyahu belongs. The leak was a result of a misconfiguration in the app, and the exposure has affected approximately 6.4 million people. Whether or not malicious actors have managed to locate and download this data remains unknown at this point, but the leaky website has already been taken down.
Bar-Zik was performing a security audit on the app out of personal interest. The researcher decided to look deeper into the workings of the software after users reported that they had been registered for SMS-delivered news from the app without ever providing their consent. The app followed an aggressive promotional approach, due to the events that have taken place in Israel lately. Although Netanyahu has been formally indicted on corruption charges in January, he insists on remaining the leader of the Likud party for the March 2020 legislative elections. This follows the political deadlock of April and September 2019, so we’re on the third attempt to form a governing majority right now.
Desperate times call for desperate measures, so the Likud app developers thought it would be appropriate to push news and updates to both political supporters and those on the opposite side without asking for their consent. However, Bar-Zik has also discovered API endpoint bugs, indicating that the software was developed hastily. Anyone could access the API endpoint without a password and without having to go through 2FA steps. He managed to query data from the app without restrictions and got administrator details back including their credentials in plaintext form. By using these credentials, Bar-Zik accessed the platform’s website backend which in turn provided access to the personal details of 6,453,254 Israeli citizens.
Each entry in the database includes the full name, phone number, home address, ID card number, gender, age, and political preference of the individual. Considering that many of these people haven’t given their consent to use this data for political message promotion, having it potentially exposed to malicious actors is entirely unacceptable. As it seems, the Likud gathered the information of all people who can vote in the country and exposed it online. Israel has a population of about 8.7 million, so the 6.4 million is the number of people who are eligible to vote (citizens over the age of 18).