Two days before elections, security breach in Shas database exposes personal details of millions of Israeli citizens
Two days before elections, security breach in Shas database exposes personal details of millions of Israeli citizens
The breach gave potential attackers access to all the information stored in the system including personal data. Shas: "As soon as we were informed of the breach we implemented a number of immediate changes, so all information will be kept in a very secure manner”
A security breach in the database used by the Shas party election campaign exposed sensitive personal details of millions of citizens with the right to vote in the Israeli elections to be held this coming Tuesday. These include what appears to be not only the complete voter register that was transferred to the party, but also classified information that does not appear in the register, such as family ties between citizens, private bank accounts of Shas activists, and even records of citizens' past votes.
The breach was revealed following an anonymous leak received on the CyberCyber podcast of Ido Kenan and Noam Rotem, and the findings were verified by software architect Ran Bar-Zik. The breach was based on a known four-year-old weakness in an online system debugging tool and it could be easily exploited.
The debugging tool should be enabled only during the system testing phase, and switched to off mode as soon as it is open for wide use. This is because if the debugger is activated, it is possible to penetrate the system by adding a few characters to the website address where the system is located, and performing a few other actions that do not require sophisticated knowledge. Apparently, the vulnerability was discovered by the anonymous leaker using an online automated scanning tool that detects such vulnerabilities.
The breach gave the attackers access to all the information stored in the system. This included all the data that appears in the voter's register - last name, first name, address and voting station. These are very similar to the info that leaked from the Likud's elector system. However, the Shas system also included deeper data that could not come from the voter's register, including phone numbers, father's name, year of birth, and gender. CyberCyber and Bar-Zik performed a sample test of hundreds of the details and verified their correctness. They also performed a personal check against some of those appearing in the database, and received confirmation from them that they had never volunteered to be part of the Shas election campaign nor provided the party with this type of data.
Additional information that appears in the system includes requests from citizens and supporters for assistance, including personal details and complete information about Shas activists in certain areas, including their bank account details.
The breach in question has been blocked, but there is no way to know whether the information in the system fell into the hands of other parties beforehand. The ease with which the loophole can be exploited, and the fact that it was apparently located without much effort, raises the concern that the answer to this could be positive. This type of information can be used by cybercriminals for a variety of malicious purposes, from phishing of citizens (in this context, full bank account details can be particularly useful), through targeted fake news campaigns against citizens identified as party supporters, and even threat and intimidation campaigns against party supporters or those who have declared that they do not intend to support it.
Shas stated in response: "The Shas party has been operating professional and reliable election software for many years, like all other parties in Israel, and maintains a legally registered database. All the information held by Shas is legally collected by it and held and saved in accordance with the instructions of the law, accompanied by the best security experts in Israel. We were informed about a fear of illegal access to the database. Immediately upon receiving notice of it, and following the information provided to us, we conducted a comprehensive inspection of the database using security experts, and implemented a number of immediate changes, so that all information will be kept securely. Shas continues a comprehensive inspection of the database systems, and will act as necessary against any party found to have acted in violation of the law."