Likud, the party headed by Israeli Prime Minister Benjamin Netanyahu, has exposed the personal information of nearly 6.5 million Israelis.
According to Ran Bar-Zik, a front-end developer for Verizon Media, the leak was discovered today whilst performing a security audit for Elector, an app developed for Lukid.
The app had been found to be misconfigured, thus leaving its sever exposed and allowing the data to be harvested by unauthorised parties.
Bar-Zik explained that the website developers for elector.co.il had left an API endpoint exposed online without a password, allowing anyone to query it without any authentication. By sending queries to the API endpoint, an individual could obtain details about the site’s administrators including passwords in cleartext.
Bar-Zik explained that he was able to gain access to the site’s backend by using the very credentials that were returned from the API query.
The database contained the personal details of 6,453,253 Israeli citizens, including their full names, phone numbers, home addresses, age, gender, ID card numbers and political preferences.
The Elector app’s official website has since been taken down and removed from the cache of the search engine to prevent further unauthorised access to the site.
Over recent weeks, local Israeli media, including Haaretz and Ynet, reported several privacy-related issues about Elector, including the app allowing users to register other users for SMS-delivered news without obtaining their consent.
The information on the database is extremely sensitive and could be exploited by cyber criminals to commit identity theft, spying and even voter intimidation.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/