Campaign managers worldwide should have their internet privileges revoked, period, but here’s the latest stunning fiasco: Netanyahu’s political party the Likud exposed the country’s entire voter registry by uploading it to an app, Haaretz has reported. An “anonymous tipper” claimed to have easily accessed personal data of 6,453,254 Israeli voters, including names, ID numbers, addresses, and in some cases, phone numbers.
The app, Elector, is designed for campaigns to keep up-to-date information, communicate with supporters, and track voting status; in other words, this is an app which probably should have had 2-step verification set up, which it reportedly did not. On its website, Elector says that the app was created by “senior professionals in cyber security and software systems development” and advertises the “strictest standards” of security.
The author of the Haaretz piece, programmer Ran Bar-Zik, later told the New York Times that this person initially sent him and his co-hosts of the podcast Cybercyber the vulnerability, along with data on Bar-Zik, his wife, and son. Bar-Zik then laid out the vulnerability on his blog. If the screenshots are real, this wasn’t even a hack; he right-clicked “view source” on the homepage, and Likud’s login info was in the site’s source code. Neither Bar-Zik nor Elector were immediately available for comment.
All political parties in Israel are given copies of the voter register during campaigns, with the understanding that they’ll delete them. Haaretz reports that the firm behind Elector, Feed-b, stated that this was a “one-off incident that was immediately dealt with.” All that means is that voters can hope that the citizen who reported the breach was the only person to have clicked “view source,” and that this is a good person. The Likud is not so naive, according to the Washington Post, which reports that an anonymous source close to the party told them they were “braced” for “worrying consequences.” The exposure poses a major national security threat, for one; the list would have included the IDs and addresses of various government and security officials.
According to the New York Times, the Israeli Privacy Protection Authority is “looking into” the issue but has not announced an official investigation.
Gizmodo has reached out to the Likud and will update the post if we hear back. The election is March 2nd.