As political parties more readily capitalize on new technologies and the internet to broaden their reach, new apps continue to pop up for the purpose of measuring potential votes or increasing a party’s popularity. In addition to performing these functions, the applications can also gather personal information about the voter like name, age, gender, and sometimes even ID number, political affiliations and other valuable data.
Of course, the information gathered through these applications is not intended to serve any malicious purpose, but rather only to indicate political trends or encourage people to support a particular party so candidates can better prepare themselves for upcoming elections.
But what happens when the information is not properly protected and personal data falls into the wrong hands? This hot topic has been engaging quite a lot of people lately in different countries around the world and it’s far from an imaginary scenario.
Let’s take a closer look at 3 examples of where applications were compromised and party headquarters were hacked, and how these could have been avoided.
U.S. 2018: 2,600 files containing political campaign data exposed
In 2018, over 2,600 records of U.S. voters were leaked to the internet because of a simple misconfiguration of the company database in the cloud.
“RoboCall” developed by “RoboCent”, a data analytics company specializing in political campaigning, was an app which could send voice and SMS alerts to voters. The company, unfortunately, didn’t protect its database as there was no password required to access it. As a result, audio files with pre-recorded messages and spreadsheets containing voters’ names, addresses, phone numbers and other vital personal and demographic data were exposed to the internet.
RoboCent files on the website “GrayhatWarfare”
A spreadsheet containing voter’s data and calculated political affiliation
The data was left open to the internet long enough to appear on different sites, including “Grayhat Warfare”.
West Virginia, 2018: Internet voting mobile application compromised by MIT researchers
A newly introduced mobile application called “Voatz” made West Virginia the first state in the U.S. to allow voters to cast their ballots via smartphone, mainly targeting overseas military and absentee voters. MIT researchers discovered vulnerabilities in the app that allowed them to alter, stop, or expose a user’s vote. These vulnerabilities also included 3rd party services for app functionality that had several privacy issues and enabled recovery of user’s vote via a side-channel attack.
Voting side-channel attack — When the voter selects a candidate, the length of ciphertext varies widely according to metadata provided about the candidate in the description (on the left). This way, the length of the encrypted packet clearly leaks which candidate was selected (on the right)
Israel elections, 2020: Personal data of 6.5 million voters leaked
In February of this year as Israeli citizens were preparing to go to the polls, the media reported that the personal information of the country’s eligible 6.5 million voters had been leaked through the unsecured “Elector” app. The information, which included names, identification numbers, addresses, gender, and phone numbers, had been uploaded by the Prime Minister’s Likud party to the app in order to help manage election day.
The vulnerability in the app allowed anyone to easily get access to the data by following a couple of simple steps:
- Right-clicking “view-source” at the Elector website home page to access client-side code.
- The client-side code included a URL to another Elector website, with the ending “get-admin-users”, where usernames and passwords of admins were displayed.
- Choosing one of the presented admin credentials to log in and downloading the entire voter’s registry from the Elector site.
The admin’s credentials as presented on the Elector web-page accessed with URL: http://elector/####/(Server URL) + get-admin-users
It is important to note that, in Israel, political parties can receive personal information about voters as long as it is secure, they don’t provide it to 3rd parties, and they permanently delete all the data after the election is over.
The severity of the security breach intensified when, a month later, the “Bubble Dan” transportation app revealed the details of tens of thousands of Israelis, including thousands of citizens whose identification cards had been scanned into the system, provided by the users themselves as part of identification for veteran citizens.
The vulnerability of the “Bubble Dan” app was caused by the lack of an authorization check. Constructed in a WordPress platform for WEB and mobile view applications, it revealed a lot of data by simply accessing the URL: www.bubbledan.co.il/wp-content/uploads.
The “Uploads” directory by default appears at this address in WordPress-based apps.
The integration of compromised data from the both the “Elector” app and the “Bubble Dan” app resulted, for some users, in enough information to spoof identity and access almost every governmental and business internet service.
Screenshots of a mobile app breach showing the result of adding “wp-content/uploads” to the URL
Protect your data
It’s obvious that the majority of the vulnerabilities could have been prevented by simple authorization checks applied to everyone application’s components, and by making sure that no sensitive data that could be used by an external source was stored on the client-side.
All those factors could have been discovered early in a risk assessment or threat modeling process which is achieving much greater awareness worldwide these days, and hopefully will make our personal data, as citizens, more secure in the near future.