The Israel Defense Force's innovation department’s website is not exactly Fort Knox and as it does not contain classified information it would seem it has nothing to fear from hackers. Nonetheless, the site has exposed confidential and personal information about tens of thousands of Israeli soldiers, both those still doing their mandatory service as well as those in reserves.
The website invites soldiers to submit suggestions to help the military become more efficient, as well as allowing them to vote on different innovative proposals raised by other soldiers. It is a nice idea, the information there is not that secret and the site even avoids identifying soldiers by their full names. However, regrettably it has inadvertently exposed the names and phone numbers of tens of thousands of soldiers.
How did it happen? It’s because of the registration process.
On November 11, many soldiers received a text message (in Hebrew): “Shalom ____! Do you have ideas that will enable the IDF to become more efficient and save resources? We want to hear you! You have a real opportunity to influence here https://say.idf.il/xxxx. This link is personal and cannot be transferred. Classified ideas can be sent to military email: What do you think ____.”
Instead of the underlines, each soldier saw a message personally addressed to them, and instead of the “xxxx” was a unique four-character text for each soldier, made up of numbers and lower-case English letters. When a soldier enters the site, they see a screen with their name and military email address – and are asked to confirm their details.
The first problem is in the link sent to each soldier, but the bigger issue is an exploit made possible by a different weakness in the registration system.
We have seen in the past systems that use links such as https://site.com/123456 and then all the attacker needs to do is enter the site using a link with consecutive numbers. For example:
- Here's how to protect yourself against Israel’s cyber snooping
- Exclusive: Intricate hack against Israeli crypto leaders; 'Mossad investigating'
- The secret of NSO’s success in Mexico
This is a known exploit and easy to understand, which allows the attacker to figure out how the internal resources work – in this case the link – and use this knowledge to acquire more information. In this case the hacker needs to write a simple script that goes over link after link to reveal the data each contain. This is a serious mistake, because entering a correct combination of numbers and letters will reveal the corresponding full name and telephone number, which in this case could be easily revealed. Safety wise, such personal details, certainly those belonging to soldiers, need to be protected behind a password, at the very least.
In the army’s programmers defense, we can note that in this case they didn’t use consecutive numbers but random text: For example, 1abc or 3gfh. But even such random text is a security hole because it is not long enough and too easy to guess or generate automatically.
>> Do you work in Israeli hi-tech and have a story to share with us? We can promise full anonymity: Click here to send us an encrypted email
Four-character long text that is known to consist of only numbers and lower-case letters can easily be guessed by a program. If we were trying to hack only a single combination, it would take about 1.6 million attempts. But in this case there are many more combinations – every soldier has their own, unique combination. If there are 100,000 soldiers in the database, then a potential attacker would need to make only 160 guesses to get a hit.
The website allowed multiple access – and the use of what is termed a brute force attack. It was open for access from outside of Israel and gave a clear indication of which links were active. If an attacker tries a number of times to enter a nonexistent resource or page on my personal blog – which contains no personal information at all – their IP address is blocked. Such a policy is critical for many sites.
I wrote a short script, just a few lines long, to check whether the information could be mined. Very quickly I had in my hands the names and telephone numbers of many soldiers – and of course I could get into the site itself. Even though it did not contain classified information, it had more information that could aid hackers in many other ways.
I informed the IDF and the link was blocked within a short time. Now anyone who wants to enter the site is required to enter a username and password – and their details are not exposed.
The IDF Spokesman’s Unit said, “this was a localized error discovered in a questionnaire website sitting on a civilian network. The problem was discovered at an early stage and fixed quickly. As a result, the possibility of information leak was stopped. The incident will be investigated and the conclusions will be learned.”
Ran Bar-Zik is a developer at Verizon Media and a writer at internet-israel.com. The opinions presented here are his own and not the views of Verizon Media.