A new feature on the Likud party website that made the identity of party members public was taken down after the Privacy Protection Authority intervened, Channel 12 reported Thursday.
The security vulnerability was detected in a new user-friendly interface on the site that was designed to allowed party members to find out whether or not they are eligible to vote in the upcoming primaries.
But the interface also allowed any person visiting the site, including people not registered as party members, access to enough of party members’ personal information to identify them. Use of interface did not require any form of identification and there were no security measures in place.
By merely typing in a person’s full name, users could see whether that person was a Likud member. This would allow family members, colleagues or employers to check whether or not people they know are Likud members — a clear violation of the country’s data protection laws.
The breach was first discovered after users began posting screenshots from the Likud website on social media with personal details of Likud members, like where they vote and the last digits of their identification number.
מ1 עד 10, עד כמה אתם מופתעים לגלות שכל מקימי 'פרויקט 315' הם חברי ליכוד? pic.twitter.com/K2UmmeJg9p
— הדרקון ???????????????? (@Ha_Drakon) July 28, 2022
Learning about the serious breach of information, Israel’s Privacy Protection Authority instructed Likud to take down the interface immediately.
“[The interface] allowed any person to check who among Israel’s citizens had joined the party. As was instructed by the authority, the interface in question is no longer active,” a statement issued by the Privacy Protection Authority read.
The interface was active for several days before it was taken down, Channel 12 said.
“This incident is especially serious because it allows any person, including people from outside of Israel, potentially from hostile states, to check all kinds of things,” Dr. Tehilla Shwartz Altshuler of the Israel Democracy Institute was cited by Channel 12 as saying.
“As an employer, I can find out whether my employees have joined the party, although it’s not information that I’m supposed to know,” she added.
Altshuler clarified that the full name of a person and where they vote (which is probably where they live) was enough to identify a person, as people today have access to many databases that could be used to compare and confirm someone’s identity.
Other parties offer similar services that give party members access to information about the party and its other members. These, however, usually require users to confirm their identity in a more secure process before gaining access, like typing in a code that is sent to their phones. And even then, the accessed information is usually more limited.