An election campaigning website operated by Likud―the ruling political party of Israeli Prime Minister Benjamin Netanyahu―inadvertently exposed personal information of all 6.5 million eligible Israeli voters on the Internet, just three weeks before the country is going to have a legislative election.
In Israel, all political parties receive personal details of voters before the election, which they can’t share with any third party and are responsible for protecting the privacy of their citizens and erasing it after the elections are over.
Reportedly, Likud shared the entire voter registry with Feed-b, a software development company, who then uploaded it a website (elector.co.il) designed to promote the voting management app called ‘Elector.’
According to Ran Bar-Zik, a web security researcher who disclosed the issue, the voters’ data was not leaked using any security vulnerability in the Elector app; instead, the incident occurred due to negligence by the software company who leaked the username and password for the administrative panel through an unprotected API endpoint that was listed in the public source code of its homepage, as shown.
images from Hacker News