Software flaw exposes data of Israel’s 6.5 million voters

JERUSALEM – A software flaw exposed the personal data of every eligible voter in Israel – including full names, addresses and identity card numbers for 6.5 million people – raising concerns about identity theft and electoral manipulation, three weeks before the country’s national election.

The security lapse was tied to a mobile app used by Prime Minister Benjamin Netanyahu and his Likud party to communicate with voters, offering news and information about the March 2 election.

Until it was fixed, the flaw made it possible, without advanced technical skills, to view and download the government’s entire voter registry, though it was unclear how many people did so.

How the breach occurred remains uncertain, but Israel’s Privacy Protection Authority, a unit of the Justice Ministry, said it was looking into the matter – though it stopped short of announcing a full-fledged investigation.

The app’s maker, Elector Software, played down the potential consequences, describing the leak as a “one-off incident that was immediately dealt with” and saying it had since bolstered the site’s security.

The flaw was first reported on Sunday (Feb 9) by the newspaper Haaretz.

Explaining the ease with which the voter information could be accessed, Mr Ran Bar-Zik, the programmer who revealed the breach, explained that visitors to the Elector app’s website could right-click to “view source”, an action that reveals the code behind a web page.

That page of code included the user names and passwords of site administrators with access to the voter registry, and using those credentials would allow anyone to view and download the information.

“Jackpot!” he said on Monday. “Everything was in front of me!”

One Israeli website said it had been able to access the personal information of, among others, Netanyahu; his wife, Sara; the chief of staff for the Israeli military, Aviv Kochavi; and Nadav Argaman, the head of Shin Bet, Israel’s domestic security agency.

Leave A Reply

Your email address will not be published.