Cybersecurity researchers find security flaws in Likud, Labor party Android apps

Flaw in Likud’s app allows hackers to access list of party members and their personal details; Labor app provides users’ contact lists and finds their closest relations

Shoshanna Solomon was The Times of Israel's Startups and Business reporter

Illustrative. A payments system hacker. (Welcomia; iStock by Getty Images)
Illustrative. A payments system hacker. (Welcomia; iStock by Getty Images)

Researchers at Israeli cybersecurity firm Check Point Software Technologies Ltd. said Wednesday that they had found “serious security breaches” granting access to “highly sensitive personal information” in the Android phone apps of the Likud and Labor parties.

“There has been much talk of impact attacks on social networks and we learn more and more about the offensive capabilities of various countries and entities in cyberspace. But we often ignore the factor that allows these attacks — access to sensitive information we share, sometimes without any intention of doing so,” Check Point said in a emailed statement.

“Sensitive information such as political opinion, social contacts, demographic data, telephone numbers, and addresses of us and those close to us can be of great help to the various elements operating in cyberspace,” the statement said.

Lotem Finkelstein, who heads the threat intelligence desk at Check Point Software Technologies in Tel Aviv, December 3, 2018 (Shoshanna Solomon/Times of Israel)

With that in mind, the researchers set out to examine the mobile apps of the various parties running in the April 9 national election.

“The purpose of the test was to examine which services they offer to the public and mainly what information they collect about us,” and what they do with it, the statement said.

The researchers found that three parties — Likud, Labor and the Yashar party — offer smartphone apps.

Studying the Likud party app and the server behind it, the researchers found “several vulnerabilities” that made it possible for hackers to access the whole list of Likud members, including personal details like home address, emails, cellphones and credit card numbers, said Lotem Finkelstein, who heads the threat intelligence desk at Check Point, in a phone interview.

All hackers needed to do to access this information was gain access to the phone of a person with the Likud app downloaded on their phone and input that person’s ID number or cellphone number, he said.

“This is a very serious vulnerability,” he said. Even worse, he said, all of the data on the server that could be accessed via the app was not encrypted but in plain text.

Besides exposing the personal data of Likud members, he said, getting access to the Likud membership list could come in handy for hackers who want to specifically target these members “with cyber attacks or influence attacks,” he said.

The Labor android app, he said, enables the Labor party operators of the app to access the entire contact list of the person who has downloaded the app and send this information back to the server, he said. This is not possible to do with apps for Apple iOS devices, he said, because it violates Apple’s privacy agreements.

Furthermore, the operators of the app set up an algorithm that enables them to map out the relationship of the person to the people within the contact list, by studying how their details are saved within the phone, he said. “Names like Hubby, love, Noaleh” all mean that these people are close to the person in question, he said.

“They have created a social network of thousands of users of the app,” and their contacts, Finkelstein said, adding that the researchers don’t know what the Labor party has done with this data, but it could allow them to make a greater impact with their messaging.

Finkelstein said that Check Point has alerted Israel’s Privacy Protection Authority, which will assess whether accessing the contact list is a criminal matter.

The researchers said they alerted the parties about these vulnerabilities. The Likud party said in a statement that it had immediately attended to the matter. “Personal information was not leaked and there was no damage,” it said. A spokeswoman for the Labor party did not immediately respond to a message seeking comment.

The app for the Blue and While party is not an official party app, he noted, and the researchers therefore did not study it.

Most Popular
read more: