A political campaign application designed for the Likud party in Israel has been found to include a basic API flaw that exposed the personal information of almost 6.5 million users. Likud, the party of Israeli prime minister Benjamin Netanyahu, designed the app to help users receive campaign news and updates.
The vulnerability was first discovered by Ran Bar-Zik, a developer for Verizon Media that was performing a security audit of Elector, the political party’s campaign application. Bar-Zik had grown concerned about the application’s security after hearing reports of errors that were allowing users to register other individuals for SMS notifications without their consent. Upon inspection, Bar-Zik noticed that the application’s source code included a reference to an unsecured API endpoint that was intended to authenticate the site's administrators. By querying the API the researcher was able to attain enough information on the administrators that he was able to gain access to the application’s backend.
The application’s backend provided Bar-Zik with access to a database that included details on 6,453,254 Israeli citizens. The information in the database included full name, phone number, ID card numbers, home addresses, gender, age, and political preferences. The application has since been shut down and removed from the cache of search engines.