Security Flaw in Israeli Propaganda App Exposed User Emails

Israel pours millions of dollars into propaganda, but couldn't keep its own advocates' emails safe.

Photo Illustration: The Intercept. Act.il youtube video

A propaganda app connected to the Israeli government failed to include basic privacy and security protections, putting the email addresses of at least 1,900 of the Israeli government’s most ardent supporters at risk. The vulnerabilities in the app, called Act.il, were discovered by an independent security researcher, who disclosed the flaws to the Intercept.

Act.il has been touted for months by Israel’s Ministry of Strategic Affairs. It was funded by three non-profit partners — Maccabee Task Force, a pro-Israel campus group; the Israeli-American Council, a non-profit that promotes ties between the U.S. and Israel; and IDC Herzliya, an Israeli research institution. All three organizations receive substantial funding from the billionaire casino magnate Sheldon Adelson, who has poured money into right-wing pro-Israel causes and Donald Trump’s presidential campaign.

“I was shocked to find that email addresses for users were being shared across the Internet whenever a search is performed,” said the security researcher, who asked to remain anonymous to avoid repercussions from the Israeli government and its supporters. The researcher provided the Intercept with a list of email addresses gleaned from Act.il’s users as well as proof that anyone with rudimentary programming skills could obtain the same information by watching the app’s network traffic.

The Intercept informed Rallyware, the app’s developer, of the vulnerability last week and provided additional details on June 25. On June 28, Rallyware acknowledged by email that they had changed the app in response to The Intercept’s inquiry. “Due to the open community nature of the Act.il app, certain user information was shared among community members,” Rallyware wrote. “As your initial question suggested an opportunity for abuse of that feature, we have since limited this functionality.”

The security researcher who first discovered the vulnerability agreed that it had been “patched.”

Act.il is part of a series of efforts by the Israeli government and its supporters at hasbara, a Hebrew word for explanation that is frequently used to describe public diplomacy or propaganda by Israel and its advocates. Programs dealing with hasbara are part of a long-running effort to influence Western audiences’ perceptions of Israeli policy. “Starting today, you are going to tell the whole world the real truth about Israel,” said the Israeli model Yityish Aynaw, in a video promoting the act.il. Haaretz, Israel’s oldest daily newspaper, pointed to the involvement of Gilad Erdan, who heads up Israel’s Ministry of Strategic Affairs.

The security flaws allowed users to gain access to other users’ information. Anyone can see the names and avatars of Act.il users by creating an account and logging into the app. But user email addresses, which appear to be private, can be easily collected through the app’s public-facing interface. A somewhat similar vulnerability led to the exposure of email addresses belong to more than 100,000 early iPad buyers in 2010.

In the age of social media, many governments seek to deploy armies of sympathetic followers to endorse their messages and spread them through social networks. Rather than rent out mercenaries — bot armies, hackers, and click farms — Act.il is part of an attempt to muster a reliable corps of sympathetic volunteers to do this work of spreading pro-government messages.

But not everyone on the app was a mere volunteer. A review by the Intercept of the email addresses that became available through the security flaws suggested that dozens of Act.il’s earliest users have email addresses connected to organizations that funded or developed the app. That means Act.il, which purports to be a grassroots campaign, was essentially seeded with paid activists.

Available in both Hebrew and English, Act.il awards users badges and points for completing “missions” — tasks or assignments — that involve spreading news stories and other messages through social media. Most promote positions taken by right-wing Israeli Prime Minister Benjamin Netanyahu’s government and focus on pushing back against the Boycott, Divestment, Sanctions (or BDS) movement. BDS seeks to leverage non-violent tactics to punish Israel economically for its ongoing occupation of Palestinian territories. According to another Haaretz report, Erdan, the Israeli minister has attempted to set-up an internal government database to track Israeli supporters of the BDS movement.

One recent Act.il mission required users to report an anti-Semitic caricature — a skull-faced woman with a Star of David on her chest, squatting on a globe and nursing the devil — to Facebook moderators. Others told users to retweet specific reports. One assignment highlighted Israeli counter-terrorism cooperation with British authorities. Another called on participants to promote a media story that Warren Buffett was going to push private investors to buy Israeli bonds.

A skeptical report on the campaign from Haaretz pointed out that Act.il gave a slanted label to an in-depth Al Jazeera video on the two-state solution to the Israeli-Palestinian crisis, calling it “demonization and incitement.”

The security researcher told the Intercept that Act.il’s leakage of personal information reflects badly on the claim that the app’s claim to help protect the state of Israel. Email addresses, they added, can be used by hackers as an “attack vector” for delivering malware and spear-phishing for passwords. Spear-phishing was famously deployed last year against the Gmail account of John Podesta, Hillary Clinton’s campaign chairman.

Join The Conversation