Likud Election App Exposes All Israel’s Voters

An election app used by Israel’s Likud party has leaked the personal information of all of the country’s voters, it has emerged.

Developed and managed by a company called Feed-b, the Elector app is used by prime minister Netanyahu’s party to contact voters with news and updates.

However, serious security and privacy concerns have swirled in Israeli media about the app, before researcher Ran Bar-Zick decided to take a look.

He found serious security deficiencies that exposed the full names, identity card numbers, addresses, phone numbers, gender and other personal details of every eligible voter in Israel.

According to Bar-Zick, all a visitor to the app’s home page would need to do is right click and choose “view source” to expose the underlying code, which reveals all admin usernames and passwords. Entering these would allow an attacker to log in as admin and download the entire voter registry.

The problem stemmed from an API endpoint which was left exposed without a password, and a lack of two-factor authentication throughout the site.

Feed-b claimed it was a “one-off incident that was immediately dealt with.” However, there are concerns that the app also breaches privacy laws because it allows users to also add information including phone numbers on friends and family members whom they believe may vote for Likud.

It’s unclear whether any cyber-criminals or nation state hackers managed to take advantage of the leaky app before the security issue was addressed. The personal details of Israeli lawmakers, military and other VIPs would be of significant interest to many Middle East rivals.

The irony is that Israel prides itself on the quality of its computer engineers. It has a thriving cybersecurity industry, with many companies spun out of former military projects.

Netanyahu himself has boasted in the past that the state’s cyber-spooks have managed to help allies foil numerous terror plots thanks to their signals expertise.

What’s Hot on Infosecurity Magazine?