the technology failure at the heart of the Iowa caucus debacle seemed
bad, consider that an app used by Israeli Prime Minister Benjamin Netanyahu’s
Likud Party just exposed personal data on more than 6.4 million Israelis – in
other words, the entirety of the country’s voter database.
at fault, according to a report
in Haaertz, is a misconfigured Election Day app, Elector, that the party uses
to manage election day. Political parties are allowed to download the registry
under strict privacy and usage requirements. But an app flaw seemingly allowed
anyone to download it.
was voters’ personal information, including names, addresses and identity card
numbers as well as phone numbers and gender.
weaknesses affecting APIs are rapidly becoming one of the most critical aspects
of modern application security,” said Ilia Kolochenko, Founder and CEO of
was evident with the IowaReporter app that wreaked such havoc last week for the
Democrats, testing is often given short shrift.
apps “complexity and architectural obscurity hinder security testing with traditional
tools and automated scanners,” Kolochenko said, leaving “many dangerous
security flaws remain undetected for years.” As do attacks that exploit those
APIs are riddled with a full spectrum of OWASP API Security Top 10 issues, some
of which are intertwined and require chained exploitation,” Kolochenko said. “Moreover,
compared to web applications, virtually no APIs or web services are protected
by a WAF, making them a perfect target for cybercriminals.”
Elector app’s developer, Feed-b, called the incident a “one-off” and said it
has already upped security. But security experts like Javvad Malik, security awareness
advocate at KnowBe4, expect that, given the vast amounts of data collected and
stored, leaks will continue to occur until organizations change their mindsets
and develop a culture of security.
“It’s important for organizations to realize that there is no step they can take to fix these issues, and neither is there a seven-step plan that can be followed that applies to all scenarios,” he said.
Rather a culture of security needs to be embedded within organizations so that the right questions are asked at the right time to account for risk and potential exposure, and based on that, ensure that the most effective controls are implemented.”