A simple yet critical coding flaw in Israel’s current ruling party’s election management application – Electoral, has exposed an entire Israeli voter database of 6,453,255 citizens. Ran Bar-Zik, a front-end developer of Verizon Media, was first tipped-off about this vulnerability by an unknown source who sent Bar-Zik his son’s personal details as proof. The exposed database includes information such as the full names, updated address, social security number, gender, and the ballot address and number. Details such as telephone numbers, father’s name, mother’s name and family connections were also available in the database.
According to Bar-Zik’s story published in Haaretz, Israeli political parties receive the voter registry including personal details of all the registered and eligible voters. Likud, the current ruling party in Israel uploaded this voter registry to its official election management application – Elector, which has been developed by a software firm Feed-b. Elector helps in sending latest news updates related to the elections and also enables the operators to send bulk messages to all the voters in its database. Feed-b played down the exposure by deeming it as a “one-off incident, which has been immediately dealt with,” however, it is unsure about the extent of the vulnerabilities’ exploitation and its corresponding time frame.
The “View Source” Hack
Talking about the hack, Bar-Zik said, “It’s amazing. It’s very simple and very stupid hack”. On Elector’s web application, Bar-Zik right-clicked and selected the “View Source” option. This option displays the HTML code used to develop the website. A file path labeled as “get-admin-users” was written within the code. He further copy-pasted this path as an extension into the URL bar of the browser. This led to a complete list of admins that was displayed on his screen, which included their usernames and passwords. Bar-Zik used a few credentials to check the authenticity and tried logging into the admin accounts. It did work as he received full access to the entire voter registry.
Upon discovery, as per the reporting data and privacy breach guidelines of Israel, Bar-Zik reported the issue to its developer in Feed-b and The Privacy Protection Authority in the Ministry of Justice.
The entire Israeli voter details being exposed is really a big lapse and a confirmed failure in safeguarding the data privacy of its citizens, but it has surely given a few lessons for governments and organizations who are emphasizing on digital and cloud technologies.
Firstly, there was no other form of user authentication apart from the simple password authentication, not even a two-step verification procedure. Any sensitive or even basic data of users on cloud and physical drives should allow admin accounts access only with a two-step or multi-step verification process.
Secondly, Bar-Zik pointed out that he connected to the system using a VPN, which meant that the IP address was routed from outside Israel. Software companies having country-specific targets and users should restrict access of IPs and limit it to the home country only (i.e. Israel in this case).