The personal information of all Israeli voters was available online, after prime minister Benjamin Netanyahu’s Likud party uploaded the full register on an election campaign management app, reported Israeli daily Haaretz.
Details such as names and gender, addresses and phone numbers, identity card numbers etc of more than six million citizens was left online, after the Likud uploaded them to the Elector app.
The spokesperson for the Israel National Cyber Directorate declined SC Media UK's requests to comment on the situation, saying the issue was under the jurisdiction of the country's Privacy Protection Authority.
The Privacy Protection Authority spokesperson told SC Media Uk that they are unable to comment now, as they are examining the situation.
The porous app left the entire voter registry for anyone to easily download on a computer, said the report. The app’s manufacturer Feed-b dismissed it as a “one-off incident”, saying the vulnerability has been patched.
“We did not settle for building a system that would just deliver the goods. We want it to work well and secure the most stringent standard,” goes a rough translation of the security features listed in the Israeli app’s web page.
“Often, the APIs are riddled with a full spectrum of OWASP API Security Top 10 issues, some of which are intertwined and require chained exploitation,” commented ImmuniWeb CEO Ilia Kolochenko.
“Moreover, compared to web applications, virtually no APIs or web services are protected by a WAF, making them a perfect target for cyber-criminals. Worse, such attacks are hard to spot and frequently remain undetected, unreported and uninvestigated.”
A similar situation came to light in September 2019, when an unprotected database belonging to the Likud party exposed the personal data of more than four million Israeli citizens. The database was left open to the public for almost five days before it was secured, reported Haaretz.
Political parties in Israel get the details of voters before the polls. The obligation to safeguard the data falls on the parties and they are not allowed to copy, delete, or transfer the voter registry once the polls are over.
"When vast amounts of personal information is being collected, processed, and stored, all aspects of security need to be taken into consideration. Application security remains a concern for a large number of organisations. Not a week goes by where vast amounts of data aren't exposed due to misconfigured cloud buckets, which set permissions to the public,” noted KnowBe4 security awareness advocate Javvad Malik.
“A culture of security needs to be embedded within organisations so that the right questions are asked at the right time to account for risk and potential exposure, and based on that, ensure that the most effective controls are implemented. Without this change in mindset, we will continue to see breaches occur. And with so much information digitally available, the impact will only continue to grow."
The latest disclosure from the Middle Eastern nation comes hard on the heels of another news report on Iran facing an internet shutdown following a cyber-attack.
The NetBlocks internet observatory reported a wide-area disruption in Iran’s telecommunications network disruption on 8 February. The internet observatory attributed the shutdown to activating the country’s cyber-defence mechanism called “Digital Fortress" a.k.a Dzhafa Shield.
Sadjad Bonabi, board member at the Telecommunication Infrastructure Company, Iran’s telecom infrastructure monopoly, tweeted on 8 February that a “distributed denial of service (DDoS) attack” affected the internet services, which was “normalised with the intervention of the Dzhafa Shield and the efforts of its communications infrastructure partners”.
"There is no doubt that this has created frustration and confusion among internet users, which could potentially lead to a distrust of the United Nations servers and the security measures currently in place. Still, many do not acknowledge the importance of modern and regularly updated IT servers that are immune to cyber-attacks or potentially leaked information," said Tim Dunton, MD, Nimbus Hosting.
"This is just the latest in a long line of alleged cyber-attacks against Iranian infrastructure. More should be done to ensure safe internet access, as well as a solid infrastructure that cannot be attacked by cyber-criminals, and this goes for all countries.”