The flaw in the Elector app revealed the names, addresses and identity card numbers for each one of Israel’s 6,453,255 voters in such a simple way that it didn’t require any advanced knowledge of hacking to access the critical information.
“It wasn’t very technical,” said software developer Ran Bar-Zik, who exposed the flaw in the Haaretz newspaper on Sunday after it was fixed.”It’s amazing. It’s a very simple, very stupid hack. To call it a hack is an insult to professional hackers.” Before the flaw was fixed, Bar-Zik said users could go to the Elector app’s website and view the source code, which revealed the logins of system administrators, allowing anyone to access and download the voter registry.
Bar-Zik was tipped off to the flaw by an anonymous source to his podcast. “The anonymous source sent me my son’s details, who is a soldier in the army. And I was amazed. And when I see the magnitude of the details — more than six million people — I was shocked it was so easy,” Bar-Zik told CNN.
It’s unclear how many people downloaded the sensitive data, but the information was available for at least 24 hours and possibly much longer. Bar-Zik notified the developer of the flaw on Friday evening. It was fixed by Saturday evening, Bar-Zik confirmed, but it may have been available long before Bar-Zik knew about it.
“It could be a lot of days, a lot of months even,” he said.
CNN reached out to the app’s developer, Zuriel Yamin, for comment. The development firm, Feed-b, tried to downplay the security flaw, telling Haaretz the flaw was a “one-off incident that was immediately dealt with” and that security measures had been improved.
The app’s history shows that Elector has been available for at least nine months. The app was last updated four days ago with improvements to the speed of the homepage and additional security features. Beyond Israel, the app has also been downloaded in countries like Moldova, China, Russia, and the United States. The numbers of downloads are far smaller abroad, but if the data is downloaded even once, it can be shared easily, potentially exposing the private data of millions of Israeli citizens. Even after the security flaw was fixed, those who had already downloaded the data could still share it.
The Privacy Protection Authority in the Ministry of Justice has opened up an “oversight procedure” because of the security breach and is working to prevent the leak from continuing. Voter registry data is provided to all of the political parties before an election. The responsibility to comply with privacy and election laws is “first and foremost on the parties,” the ministry said in a statement.
Last week, Netanyahu urged his party’s Likud supporters to download the Elector app as a powerful tool to boost voter turnout on election day, repeating “Elector!” as the app was shown on a big screen behind him.
A statement from the Likud party pinned the blame on the developer. “Elector is an external private provider that gives services to a number of parties, and the professional and legal responsibility is on [the developers]. From the moment it became clear that the company was not meeting the encrypted standard of security, the Likud turned to a leading information security company to do a thorough check of the system.”
Neither the Likud nor the developer are likely to face any serious penalties for the security flaw, cautioned Tehilla Shwartz Altshuler, who heads the Media Reform Program at the Israel Democracy Institute.
“The privacy authority doesn’t really have enough enforcement tools,” said Altshuler. “They can’t really give fines and so on and so forth.”