The Israel Defense Forces' mobile phone app for contact tracing of the coronavirus has left the personal details of every single soldier currently serving in the IDF exposed, an analysis by Haaretz revealed on Thursday.
The app was developed in such a manner that the names and ID card numbers of enlisted soldiers, as well as their health status, could be easily reached. Moreover, an attempt by Haaretz to find exploits in the app revealed that once the personal data is accessed, it can also be changed: for example a person’s health status can be changed from “ill” or “showing symptoms” to “healthy.”
Haaretz updated the IDF about its findings and the app has since been fixed so that the data was no longer accessible.
From last month, soldiers were required to enter the application on a daily basis, enter their ID number and report their health status. In addition to issuing official orders for soldiers to use the app, the army also sent soldiers text messages urging them to do so. Soldiers without smartphones were required to update their status on computers in army bases. The app was actually just an external website - the same one the soldiers without phones were required to update.
Anyone can access the army's coronavirus app website: clearance.medical.idf.il
Haaretz has discovered that if a person enters a wrong ID number (one that does not belong to a soldier) the website will prompt an error message. Moreover, correctly guessing a valid ID number would reveal their name and health status. This is the second time Haaretz has found issues in such apps, with an earlier version of this very application also being found to have similar flaws.
That is the first loophole in the system: It supplies additional data without requiring verification. The second issue is that the website has no safeguards against repeated invalid requests, so that a simple program can easily bombard the website with ID numbers and discover which are valid and which are not, while also collecting the real names associated with the valid ones.
- The Israeli army exposed the personal information of tens of thousands of soldiers
- Israeli officials finally admit: Anti-coronavirus surveillance data is false
- Here's how to protect yourself against Israel’s cyber snooping
How simple a program would be needed to conduct such a mission? It took this writer 15 minutes to write seven lines of code that was deployed on the website for a single hour to get the details in questions. In other words, anyone who knows how to write a script can do so very easily. This data, of course, can easily be cross referenced with other databases - for example that of all the addresses of Israelis registered to vote as exposed by the Elector app.
The initial error was found by a military source who, like others in the army, was asked to report their own health status on the site. He managed to find the exploit within minutes and reported it to the Israeli podcast CyberCyber and this writer. Noam Rotem, a prominent Israeli ethical hacker, and myself confirmed the exploit as well as others. We then reported them to the IDF who immediately took down the site and within a few hours fixed the issue, allowing the site to resume activities.
The IDF said in response: “In the morning a malfunction regarding data privacy was spotted in our health questionnaire system. The issue was fixed within a number of hours.”