It’s ironic that in a country where national elections are still conducted with paper ballots and blue paper envelopes, electronic screw-ups have still managed to cross the ocean from Des Moines, Iowa this campaign season, all the way to Israel.
If you are registered to vote in the State of Israel, your name, identity card numbers, address, phone number, gender and other details like political preferences were leaked by an election app that is being used by the Likud party to manage Election Day, according to a report by Haaretz.
The leak was discovered and detailed by Ran Bar-Zik, an Israeli-born frontend developer for Verizon media, according to ZDNet, which reported Bar-Zik found the leak while performing a security audit of the app.
It is unclear whether the exposed server and data was harvested by unauthorized parties before the discovery and public disclosure.
The unsecured “Elector” app, developed by the Feed-b firm, contains the voter registry which is uploaded by the party into the software database.
Each political party in Israel receives that voter registry with all of its information prior to elections, commits to protecting the privacy of the voters and promises not to reproduce the registry nor provide it to a third party. The parties also agree to permanently erase all of the information once the election has ended.
Because all parties running for Knesset obtain easy access to all personal citizen information, all citizens are also bombarded with SMS messages to their cell phones — and no one is able to opt out, regardless of whether they choose to have the messages or not.
The personal details of 6,453,254 Israeli citizens were uploaded into the Elector app, which is used in a number of countries abroad – such as Russia, China, Moldova and the United States – and which turned out to be unsecured, hence the leak.
A similar leak happened in 2006 when an Interior Ministry employee stole the population registry and published it illegally.
Due to the vulnerability, anyone with a little computer knowledge was able to obtain the usernames and passwords of system administrators, enabling one to get access to the entire voter registry, which contained the personal details of some of the most powerful people in the country.
Feed-b said the leak was a “one-off incident that was immediately dealt with.” The company added security measures have since been reinforced.