Once Again, Two New Election App Breaches Exposed Personal Data on Millions of Israelis

Less than a week after Calcalist reported a severe security breach compromising the personal data of over 6 million Israeli voters, two new security breaches were discovered in the campaign management app used by Israel’s ruling Likud party. In addition to the personal details of almost 6.5 million Israelis which leaked for the second time, the new flaws also revealed correspondence between activists and potential voters as well as the app’s source code, according to activist hacker Noam Rotem and Ran Bar-Zik, a senior developer at Verizon Media, who discovered the leaks.

The first lead on the new breaches was sent by an anonymous source to CyberCyber, a data security podcast hosted by Rotem and Ido Kenan. The new breaches are unrelated to last week’s breach and were discovered after it was fixed, according to Rotem and Bar-Zik.

Israel is not just a country whose entire database on adult citizens has been stolen, it is the country to which it happened twice in one week from the same system, Bar-Zik said in an interview with Calcalist.

Both breaches were apparently fixed by the app’s developer Elector Software Ltd. last week, one on Thursday and the other on Friday, following Calcalist’s request for comment. The app is also being used by far-right party Yisrael Beiteinu.

The first and more severe of the new breaches revealed keys to Elector’s Amazon Web Services (AWS) account, giving access to app backups containing all information saved by its clients. This information includes Israel’s complete voters’ registry, email addresses, phone numbers, lists of activists and people who were successfully recruited, and SMS messages sent on behalf of the parties, Rotem said.

This leak is more severe than the previous one, both because it compromised additional information and because it has remained active after the reports of the initial breach likely brought Elector to the attention of malicious agents.

The other new breach was of the source code of Elector’s internal systems which was publicly posted on code collaboration website GitHub. Revealing the system’s source code means revealing all of its weaknesses and giving malicious agents access to data that is supposed to be confidential, Rotem said. According to Rotem, the revealed code was also very low grade and revealed passwords and keys to third-party services. The passwords themselves were also revealed to be extremely weak and easy to crack, he said.

The two new breaches shed light on the inaptitude of the relevant state authorities, Rotem said. If they had taken the system down following the first report, the two additional breaches would not have occurred and sensitive information on Israeli citizens would not be out there putting people at risk, he said. “The Israel National Cyber Directorate is supposed to safeguard the purity of the country’s election process, but when a major system used by the country’s ruling party is breached, not once but twice, its silence and failure to take action send out a clear message to everyone involved,” he said.

In response to Calcalist’s request for comment, a spokesperson for the Likud party stated that the party has hired cybersecurity companies to look into the matter and their examination indicated a malicious attack by an outside source. Likud is working to identify the source of the criminal activity and will consider reporting it to the police, they added.

A spokesperson for Yisrael Beiteinu said the claims were unsubstantiated and that the party is making every effort to maintain privacy.

Concerning the database leaks, Elector stated that “it is an attempt to embarrass the company and destroy its reputation with unfounded information, originating from a misunderstanding, only to create a media buzz.” According to the company, the breached server was used for testing by the company and did not contain any sensitive information. The relevant parties have been informed of this breach a week ago and the company is collaborating with them fully and transparently, the company said. The revealed keys are useless for anyone but those with the highest-ranking users in Amazon, it added.

Concerning the exposed source code, Elector said it was an outdated code used as a test done by a job applicant 10 months ago. Once that person was hired, the development process began anew, the company said, adding that “the so-called experts are welcome to run the code and check.” The company also said it deleted the code from the site for appearances.

Rotem and Bar-Zik remained unconvinced by Elector’s comments. “Data from Elector’s systems leaked in three different ways in a single week,” Rotem said. The company’s denial represents a fundamental lack of appreciation for the importance of protecting data, he added. “Exposed information is exposed information,” Bar-Zik said. Even kindergarten children know better than to include passwords in code, he added. “If there were a code-writing license, everyone related to this company would have had theirs revoked.”