The election campaign website, run by Likud, a political party led by Israeli Prime Minister Benjamin Netanyahu, inadvertently disclosed personal information including full names, addresses and identity card numbers about all 6.5 million eligible Israeli voters on the Internet raising concerns about identity theft and electoral manipulation, just three weeks before country legislative elections.
In Israel, all political parties receive voters’ personal data before the elections, which they cannot pass on to third parties and are responsible for protecting citizens ’privacy and removing them after the election.
It is reported that Likud shared the entire voter list with Feed-b, a software company, which then uploaded a website (elector.co.il) designed to promote the voting management app called Elector.
According to web security researcher Ran Bar-Zik, who identified the problem, Israeli voter data leak was not disclosed through any vulnerabilities in the Elector application; instead, the incident occurred due to negligence on the part of the software company that leaked the username and password for the administrative panel through an insecure API endpoint that was specified in the public source code of its home page, for example, as shown in the figure.
“Someone who visits the Elector website in a standard browser such as Google Chrome can right-click on the page and select“ View page source. ” The disclosed source code for the website contained a link to the get- page. admins-users “that a potential hacker just had to visit to find the” admin “user passwords outdoors – those who have authority to manage the database.” An explanation of the Israeli media.
The open database contains the full names, ID numbers, addresses and gender of 6,453,254 voters in Israel, as well as phone numbers, father’s name, mother’s name and other personal data of some of them.
Since at the time of this writing, the Elector website was inactive for many users, some media reports confirm that the development company fixed the problem, but cannot guarantee how many people were able to download the voter’s database.
The Israeli Justice Department’s Privacy Protection Office said it was investigating the incident.