If the technology failure at the heart of the Iowa caucus debacle seemed bad, consider that an app used by Israeli Prime Minister Benjamin Netanyahu’s Likud Party just exposed personal data on more than 6.4 million Israelis - in other words, the entirety of the country’s voter database.
Likely at fault, according to a report in Haaertz, is a misconfigured Election Day app, Elector, that the party uses to manage election day. Political parties are allowed to download the registry under strict privacy and usage requirements. But an app flaw seemingly allowed anyone to download it.
Exposed was voters’ personal information, including names, addresses and identity card numbers as well as phone numbers and gender.
“Security weaknesses affecting APIs are rapidly becoming one of the most critical aspects of modern application security,” said Ilia Kolochenko, Founder and CEO of ImmuniWeb.
As was evident with the IowaReporter app that wreaked such havoc last week for the Democrats, testing is often given short shrift.
The apps “complexity and architectural obscurity hinder security testing with traditional tools and automated scanners,” Kolochenko said, leaving “many dangerous security flaws remain undetected for years.” As do attacks that exploit those flaws.
“The APIs are riddled with a full spectrum of OWASP API Security Top 10 issues, some of which are intertwined and require chained exploitation,” Kolochenko said. “Moreover, compared to web applications, virtually no APIs or web services are protected by a WAF, making them a perfect target for cybercriminals.”
The Elector app’s developer, Feed-b, called the incident a “one-off” and said it has already upped security. But security experts like Javvad Malik, security awareness advocate at KnowBe4, expect that, given the vast amounts of data collected and stored, leaks will continue to occur until organizations change their mindsets and develop a culture of security.
“It's important for organizations to realize that there is no step they can take to fix these issues, and neither is there a seven-step plan that can be followed that applies to all scenarios,” he said.
Rather a culture of security needs to be embedded within organizations so that the right questions are asked at the right time to account for risk and potential exposure, and based on that, ensure that the most effective controls are implemented.”