Vulnerabilities in Moovit's Transport App Granted Hackers Complimentary Rides
Security Researcher Reveals Exploitable Flaws in Moovit Transportation App Allowing Potential Account Hijacking and Data Access
A security researcher, Omer Attias from SafeBreach, has uncovered a trio of vulnerabilities within the popular transportation app, Moovit. These security gaps could have been manipulated by hackers to compromise user accounts, leading to unauthorized free rides and access to sensitive personal information. Attias found that these vulnerabilities enabled him to gather registration details of new Moovit users globally, including personal data such as phone numbers, email addresses, home addresses, and the last four digits of credit cards. Most critically, these bugs could have empowered malicious actors to seize control of users' accounts, including their credit card information, effectively using them to fund their own journeys.
Remarkably, this sequence of exploits could have been carried out without victims being alerted, except for noticing unauthorized charges on their credit cards. Attias dubbed this a "perfect attack."
Attias explained, "We can fully impersonate accounts, without disconnecting them. It’s crazy, we actually have the ability to perform all the operations on behalf of different accounts, including ordering train tickets," during an interview with TechCrunch ahead of his presentation at the Def Con hacking conference in Las Vegas. He emphasized that these vulnerabilities could have allowed complete access to users' personal information.
To demonstrate the gravity of the discovered bugs, Attias constructed a customized interface that allowed him to take control of others' accounts with just a few clicks. Although Attias tested his findings in Israel, he believed they could have been effective in other global cities, as Moovit operates worldwide.
Moovit, an Israeli startup, was acquired by Intel for $900 million in 2020. The app aids users in locating routes, viewing public transportation maps, and purchasing tickets. Its extensive usage spans 1.7 billion riders in 3,500 cities across 112 countries.
While these vulnerabilities had the potential for significant impact, Moovit asserted that there's no evidence of malicious hackers exploiting these flaws. Attias disclosed his findings to the company in September 2022, and Moovit subsequently addressed and rectified the issues.
Moovit spokesperson Sharon Kaslassi stated, "Moovit was aware of and rectifying the issue when it was reported, and took immediate steps to finish correcting the issue." She also clarified that no malicious actors exploited these vulnerabilities to access customer data, and no credit card information was compromised, as Moovit doesn't retain such data.
Kaslassi further noted, "The vulnerabilities have long since been fixed and no customer action is required. It’s important to note that no bad actors took advantage of these issues to access customer data. Additionally, no credit card information was exposed as Moovit and Moovit-Pango do not keep credit card information on file."
In response, Attias disputed Moovit's assertion, stating, "We believe we could have charged any customer not limited to Israeli customers. We haven’t seen any differentiator between Israeli and non-Israeli customers in their API requests."