The breach was discovered by Hezkiyahu Raful, a programmer, while he was trying to help his uncle file an appeal to a parking ticket. When they attempted to look at photos taken by the municipal inspector who issued the ticket, there was no download button, so Raful pressed F12 to show the source code of the page. That's when he saw that the URL had a numerical ID at the end and found that he could access additional parking ticket files by simply changing the number.
In addition to that security flaw, Raful discovered that changing numbers in the middle of the URL he could access building files, tickets, tax files and "any document that the municipality publishes or receives," said Raful to Geektime.
The programmer also found that the links were designated as public meaning that hackers wouldn't even need a ticket or other document in order to access the link.
Raful immediately contacted the National Cyber Directorate and notified them about the breach and within an hour the flaw was fixed.
The discovery of the breach comes after a string of cyberattacks targeted companies in Israel.
Earlier this month, thousands of documents containing the personal information of Israeli citizens and government officials were leaked and sold after the Shirbit insurance company was targeted in a ransom attack by a group called Black Shadow.
Less than two weeks later, another cyberattack targeted the Amital software company, which provides software solutions for customs clearance. It is unclear if any damage was caused or if data was leaked in the incident.
On Sunday, yet another cyberattack was reported after a hacker group called Pay2Key announced that they had hacked into the largest Israeli airpower defense corporation, Israel Aerospace Industries.
The IT security company Check Point published a report earlier in December that 141 Israeli companies had been cyberattacked in November and 137 in October, a major spike in attacks.
"Maybe a law should be made that requires them to do tests," said Raful to Geektime. "I did not try to break into them, I did not conduct phishing and then succeed. I just saw it. What if tomorrow I'm very bored, and I'm not trying to help my uncle but trying to break into them?"
Raful stressed that the incident was no less serious than the Shirbit attack, as the exposed information included IDs and municipal tax documents.
"The issue was reported to the directorate and in accordance with the report it was quickly closed by the municipality," said the National Cyber Directorate to Geektime. "As part of a new plan by the directorate, organizations can require their hosting companies and/or their website building companies to meet the standards of information security of the directorate and even the hosting label of the directorate."
"This morning, the Jerusalem Municipality received an update from the cyber directorate about a technical malfunction, which was addressed immediately," said the municipality in a response to Geektime. "The Jerusalem Municipality is studying the case and will draw lessons accordingly."
Yonah Jeremy Bob contributed to this report.