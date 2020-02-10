An incorrect configuration in an election day app developed by Likud, Israeli Prime Minister Benjamin Netanyahu’s party, may have exposed and compromised the personal information of nearly 6.5 million Israeli citizens.

The leak was discovered today and detailed by Ran Bar-Zik, an Israeli-born front-end developer for Verizon Media.

It is unclear whether the exposed server and data were collected by unauthorized parties before Bar-Zik discovered them and made them public. Local Israeli media such as Haaretz, Calcalist and Ynet confirmed the findings of Bar-Zik.

How the leak was discovered

According to Bar-Zik, he discovered the leak during a security audit of Elector, an app developed by Elector Software for Lukid, an Israeli political party led by the current prime minister of the country, Benjamin Netanyahu.

Bar-Zik said he looked into the app after local media discovered various privacy-related issues with the app in recent weeks, such as issues with the app that allow users to register other users for news delivered via SMS without their permission.

According to local media, the Lukid party ordered the app to allow political supporters to sign up for news and updates during the upcoming Israeli parliamentary elections, to be held on March 2 next month.

The app has been made available for download on the elector.co.il website.

Image: Ran Bar-Zik

In a blog post today, Bar-Zik said that this website contained more information than it should.

The developer said the site’s source code contained a link to an API endpoint to be used to verify site administrators.

Image: Ran Bar-Zik

Bar-Zik said the website developers have left this API endpoint online without a password, so that anyone can request it without restriction.

Sending questions to the API endpoint provided details about site administrators, including cleartext passwords.

Image: Ran Bar-Zik

Bar-Zik said that he used credentials returned by the API to access the site’s backend.

Image: Ran Bar-Zik

What the database contained

This backend seemed to provide access to a database with the personal information of 6,453,254 Israeli citizens who were eligible to vote in the upcoming elections, Bar-Zik said.

Local media claimed that the database was an official copy of Israel’s voter registration database, which every political party receives before an election, so that they can prepare upcoming campaigns.

According to Haaretz, there was information such as a full name, phone number, ID card numbers, home addresses, gender, age and political preferences for each item in this database.

At the time of writing, the official website of the Electoral app has been removed and removed from the cache of search engines such as Google and Bing, to prevent further access to the source code and admin API endpoint of the site.

In his blog post, Bar-Zik said that the developers of the app failed because they had left an API endpoint without a password and then failed again when they did not protect admin accounts with a two-factor authentication mechanism.

Last year, ZDNet reported similar leaks that uncovered voter databases from entire countries, namely Chile and Ecuador.

However, this is much worse, largely due to Israel’s position in the Middle East and its tense relations with neighboring Arab countries.