Official Israel Election Website Vulnerable to Hackers, Exposes Voters' Info

Expert says site does not comply with basic security requirements and could allow people to vote in someone else's place and theoretically to even download a database of all eligible voters in Israel

Amitai Ziv
Amitai Ziv
Send in e-mailSend in e-mail
An Israeli electoral employee arranges ballot boxes at the headquarters of the Israeli Elections Committee, near the central town of Shoham, on February 24, 2015.
An Israeli electoral employee arranges ballot boxes at the headquarters of the Israeli Elections Committee, near the central town of Shoham, on February 24, 2015.Credit: AFP
Amitai Ziv
Amitai Ziv

After the exposure of a security breach in the system tallying the votes for the Likud primary this month, a new and serious cyber-weakness has been revealed concerning the April 9 Knesset election. The “Boharim” (Voting) website of the Interior Ministry, which was launched recently, does not have protection against repeated brute-force attacks to extract information on voters.

The website, which is part of the state’s “accessible government” initiative, allows any citizen to receive information on their polling station for the election by entering their identity card number and the date the ID card was issued. This allows anyone who knows anyone else's ID number, which can be easily obtained – for example, senior business leaders ID numbers appear in some regulatory filings – to then try a brute-force attack by running through dates to receive the information on a victim.

Nothing would stop multiple attempts at guessing the date.

To really understand Israel and the Middle East - subscribe to Haaretz

So, what can you do with this information? Is it a big deal? You can, for example, enter the Finance Ministry’s site with the ID number and its date of issue and receive information about the person’s savings and insurance. You can also launch a phishing attack against the victim, such as impersonating their insurance company, and try to extract more exploitable financial information such as bank account or credit card details.

Roni Suchowski, an experienced cyber expert and the founder of the CISO Helper firm, was first in revealing the vulnerability. He insists the new site, which launched only a few days ago, does not comply with basic security requirements. "It could enable someone to impersonate someone else and vote in their place," he contends. "Even more worryingly, if someone works out the date of issue for your identity card, he or she can then use it to pose as you in all sorts of institutions, official bodies, insurance companies, banks and more," he concludes.

In order to demonstrate this weakness, Suchowski asked the author of this piece whether he could use the number of his identity card, and was able to return all the relevant data correctly: assigned polling station, date of issue, voting certificate. "Because there is no brute-force protection on the site, I was able to guess the date of issue of the identity card until I got it right," he said. "On top of that, the website does not have 'Captcha' technology, where you have to prove you’re not a robot: in theory, one could have downloaded a database of all eligible voters in Israel," he concludes.

The "accessible government" site said that as part of the preparations for the April election it is running continuous load tests, which started on Thursday. In order to conduct the tests, they removed the Captcha component temporarily, the site said. “An alternative mechanism exists in which after a certain number of requests access will be blocked, and as a result the possibility of a brute-force attack will be prevented,” the site said.

In other words, administrators claim they purposefully removed the protection technology, and that the Suchowski breach was just an exception. "That's not true, they have no alternative system of protection, I attempted new entries a thousand times and was not blocked," Suchowski retorted. Also, Suchowski claimed the test was not carried out properly: “They could have taken down the captcha defense just for their internal access and not for the entire public. If they want, I will explain it to them,” he concluded.

Click the alert icon to follow topics:

Comments

SUBSCRIBERS JOIN THE CONVERSATION FASTER

Automatic approval of subscriber comments.

Subscribe today and save 40%

Already signed up? LOG IN

ICYMI

Palestinians search through the rubble of a building in which Khaled Mansour, a top Islamic Jihad militant was killed following an Israeli airstrike in Rafah, southern Gaza strip, on Sunday.

Gazans Are Tired of Pointless Wars and Destruction, and Hamas Listens to Them

Trump and Netanyahu at the White House in Washington, in 2020.

Three Years Later, Israelis Find Out What Trump Really Thought of Netanyahu

German soldier.

The Rival Jewish Spies Who Almost Changed the Course of WWII

Rio. Not all Jewish men wear black hats.

What Does a Jew Look Like? The Brits Don't Seem to Know

Galon. “I’m coming to accomplish a specific mission: to increase Meretz’s strength and ensure that the party will not tread water around the electoral threshold. If Meretz will be large enough, it will be the basis for a Jewish-Arab partnership.” Daniel Tchetchik

'I Have No Illusions About Ending the Occupation, but the Government Needs the Left'

Soldiers using warfare devices made by the Israeli defense electronics company Elbit Systems.

Russia-Ukraine War Catapults Israeli Arms Industry to Global Stage