A software flaw exposed the personal data of every eligible voter in Israel — including full names, addresses and identity card numbers for 6.5 million people — raising concerns about identity theft and electoral manipulation, three weeks before the country’s national election.
The security lapse was tied to a mobile app used by Prime Minister Benjamin Netanyahu and his Likud party to communicate with voters, offering news and information about the March 2 election. Until it was fixed, the flaw made it possible, without advanced technical skills, to view and download the government’s entire voter registry, though it was unclear how many people did so.
It came less than a week after another app helped make a fiasco of the Democratic presidential caucuses in Iowa, casting serious doubts on the figures that were belatedly reported. That app had been privately developed for the party, had not been tested by independent experts, and had been kept secret by the party until weeks before the caucuses.
The personal information of almost every adult in Bulgaria was stolen last year from a government database by hackers suspected of being Russian, and there were cyberattacks in 2017 on Britain’s health care system and the government of Bangladesh that the United States and others have blamed on North Korea. Cyberattacks on companies like the credit agency Equifax, the Marriott International hotel company and Yahoo have exposed the personal data of vast numbers of people.
Explaining the ease with which the voter information could be accessed, Ran Bar-Zik, the programmer who revealed the breach, explained that visitors to the Elector app’s website could right-click to “view source,” an action that reveals the code behind a web page.
That page of code included the user names and passwords of site administrators with access to the voter registry, and using those credentials would allow anyone to view and download the information. Mr. Bar-Zik, a software developer for Verizon Media who wrote the Sunday article in Haaretz, said he chose the name and password of the Likud party administrator and logged in.
“Jackpot!” he said in an interview on Monday. “Everything was in front of me!”
So – yes, centralised databases. What a great idea. Not.