The personal data of almost 6.5 million Israeli voters was leaked online after Likud, the country’s governing party, uploaded the information to the highly vulnerable Elector application.
Prior to the elections, all parties receive information about the voters, on the understanding they’ll guard it carefully and destroy it after the election. It looks like the software used by Likud had a bug that allowed virtually anyone to download the entire registry.
The Haaretz news publication received an anonymous tip regarding the security fumble and investigated the issue, only to find it was real. Basically, the user names and passwords for system admins were exposed in plain text in the page source of the website. Logging in and downloading the entire registry was a trivial task.
For now, it’s unclear if anyone downloaded the user registry. The personal data laid bare online included the full name, identity card numbers, genders, and even full address along with phone numbers. A total of 6,453,254 people were affected.
The company that made the app, Feed-b, only said that it fixed the issue as soon as it learned about it, but gave no other details about possible intrusions.
The political parties that receive access to the voter registry used the information in various ways, up to Election Day, sending SMS messages, tracking voting presence, and more.