Property tax forms, building files, photos of vehicles, parking reports and many other documents were exposed in another embarrassing weakness that could easily be prevented – this time in the big city of Israel. The municipality responded: “The Jerusalem municipality is studying this case and will take lessons accordingly.”
Another day passes and more security vulnerabilities are revealed. Then Uncomfortable holes in the “grief” service, Associations, Voter use And more recently The Shirbit affair Companies and organizations are learning the hard way about the importance of protecting their corporate information. Today we are learning about another hole left by anyone seeking the personal details of citizens – this time donating to more than 900,000 residents in Israel’s largest city, Jerusalem.
I wanted to appeal the parking report – got a hole
Hezekiah Rabul, a geeky programmer and reader, sought to help his uncle, who wanted to appeal the parking report he received. “We wanted to see pictures taken by the inspector. I went to their site and looked at the pictures, but there was no download button. I wanted to keep it (picture, AB), draw it and send it to appeal, ”Raphael explains. I pressed F12 and saw the URL where the image comes from. I found that he had a sign and a running number. “
If you have followed some of the hacks posted here this year, you already understand how it works: Any person with a minimum of technical knowledge and any powerful hacking tool
Pegasus You can change the last digit at the end of a browser URL and get a picture of another car. If that’s not enough, Raffles says the change in the digits in the middle of the string is a building file, property tax applications, copies of appeals, copies of reports and “any document issued or sent by the municipality.” If that’s not enough, when Raphael pasted the link to the report in a Google search, he discovered that it was defined as public and coded by the search engine. “If I tried to get into them, I would not need a parking report to find the link. The link is public,” he explains.
Raphael rushed to do what every responsible citizen expects to do and undertook a disclosure process to the internet queue, where he got a quick response. Within about an hour the corresponding part of the site flew into the air.
When asked about his feelings about the bad security issue, Raphael says, “Hold yourself up with your hands.” “Maybe we should make a law for them to do tests … I did not try to get into them, I did not fish, and then I won … I saw it. If I get too bored tomorrow, I will not try to help my uncle, but if I try to get into them What to do? It’s nothing less than a magic wand. Here are the identity cards, the property tax documents. “
Most importantly, what about the report?
Rable: “Now I hope I can appeal the statement.”
Jerusalem Municipality: Read the case and draw lessons accordingly
Cyber Answer: “This issue was reported to the queue and was soon shut down by the municipality, according to the report. As part of the organization’s new plan, companies may require hosting companies and / or their website builders to meet the organization’s information security standards and” system hosting nature “.
We asked the Jerusalem Municipality for an answer, especially to understand whether the information revealed was still in the hands of the less sympathetic. This is their answer: “This morning, the Jerusalem Municipality received an update from the Internet regarding a technical malfunction that was immediately resolved. The Municipality of Jerusalem is studying the case and will draw lessons accordingly.”