An app flaw has exposed personal data of all 6.5 million voters in Israel. The vulnerability was found in the election app used by Prime Minister Benjamin Netanyahu’s party that has leaked voters' full names, home addresses, identity card numbers, along with their phone numbers in many cases.
The Times of Israel reports that a petition has been filed against the PM's Likud party, after a programmer disclosed "one of the largest and most compromising leaks of Israelis’ personal information in the nation’s history". The petition accuses the ruling party of violating privacy laws by creating and sharing access of this database carrying all the voter information by exploiting its access to the official voter registry.
The petition, filed Thursday, accuses Likud of using its access to the official Central Elections Committee voter registry to create a database of all voting-age Israelis that it then made available to its grassroots activists through the publicly available app Elector. The app is intended to enable political parties to conduct real-time data-crunching on election day, showing vital ground-game information on individual voters, polling stations (including rates of support for a party by station) and regions. But a flaw in the app’s web interface gave “admin access” to the entire database, allowing anybody to access and copy the Israeli voter registry, along with additional information gathered by Likud about hundreds of thousands of voters.
No technical skills required to get access to Israeli voter data
The publication added that anyone visiting the app maker Elector's website could get access to the database through its page source. "Using the usernames and passwords of admins, one could log into the site with full access to the entirety of the database, including the most up-to-date information available to the Central Elections Committee for all Israeli adult citizens," the report said.
The government does give voter data access to the political parties, which they are required to safeguard. Likud, however, gave this access to a software maker to create this app and since they aren't supposed to hand over access to third parties, Likud is attracting some lawsuits.
The Privacy Protection Authority has said in its statement that the responsibility for complying with the privacy laws "lies with the parties themselves." Leaks of this magnitude open victims to identity fraud and potential electoral manipulation. This is the reason why security experts are pushing governments to not be too quick at adopting new election technologies or giving access to data and turning that data into apps without having stringent policies and fool-proof security mechanisms in place.
"When we talk about hacking, we imagine people in hoodies doing technical stuff,” Ran Bar-Zik, the programmer who initially reported the leak to Israel’s cyber headquarters, said, adding that in this case no technical skills were needed.