A serious security breach in the Shas Party's computerized election management system has left it vulnerable to easy exploitation, even by those with only basic knowledge of cybersecurity, according to tech experts.
The breach in the system, which contains not just the data of Shas supporters and activists but rather the information of all Israeli citizens who are eligible to vote, was revealed Sunday following an anonymous leak received on the CyberCyber podcast hosted by Ido Kinan and Noam Rotem. The findings were then verified by software architect Ran Bar-Zik.
The vulnerability was discovered by the anonymous leaker using an online automated scanning tool that detects such weaknesses, according to a Calcalist report.
No less disturbing than the security breach itself is the information held in the system: detailed personal data, including family ties, phone numbers, and even bank account information of potentially millions of Israeli citizens which is not included in the voter register.
The breach is based on a known four-year-old weakness in an online PHP-based system debugging tool, and there is no need for sophisticated tools to exploit this weakness, as all that is needed is an internet browser.
The debugger should only be enabled during the system testing phase, and switched off as soon as it is open for wide use. If the debugger is still active after the system goes live, it is possible to penetrate it simply by adding a few characters to the website address of the system and performing a few other actions that do not require sophisticated computer knowledge.
Although the breach in question has been blocked, there is no way to know whether the information in the system was leaked before it was patched. The ease with which the loophole can be exploited, and the fact that it was located without much effort, raises the concern of who might hold all the personal data stored in the system.
Shas responds to data leak
Shas, like the other parties, receives the voter register from the Ministry of the Interior before each round of elections. However, it is required to destroy the transmitted information, including all the details added to it, at the end of each election. Despite this Shas seems to have kept the personal data of voters from previous election rounds.
"The Shas party has operated a professional and reliable election software for many years, like all the other parties in Israel, and maintains a legally registered database. All information held by Shas is legally collected by it and held and preserved in accordance with the law, accompanied by the best cybersecurity experts in Israel," the party spokesperson said in response to a Haaretz inquiry.
"All information held by Shas is legally collected by it and held and preserved in accordance with the law, accompanied by the best cybersecurity experts in Israel."
Shas statement
"We were informed about concerns of illegal access to the database. Immediately upon receiving this information, we conducted a comprehensive inspection of the database using security experts, and implemented a number of immediate changes, so that all information will be kept securely. Shas continues a comprehensive inspection of the database systems, and will act as necessary against any party found to have acted in violation of the law," the party said.
Likud's Elector platform leaks personal data
In a similar event, a list of 5,000 Likud activists' names and phone numbers was leaked to the Internet from the "Elector" platform last year, appearing on the Ghostbin leak site, according to Ynet.
The list was uploaded by an anonymous source along with an email that was circulated in many groups, which read that "the Elector system used by the Likud and the Right has been hacked. The data will be slowly leaked until the system is taken offline. Here is the first cluster of the 'activists'."
The Authority for the Protection of Privacy at the Ministry of Justice determined the Elector company as well as the Likud and Jewish Home parties which received technological services from the Elector company, violated the provisions of the Privacy Protection Law and the regulations under it.
"The findings of the enforcement procedure carried out by the Authority revealed violations of the law, including many serious deficiencies in the security of the information in Elector's information systems, as well as in its conduct as a holder of sensitive personal information," the Authority for the Protection of Privacy said in a statement.