Security Flaws On Moovit Might Have Given Hackers Free Rides And Customer Data

Posted on August 13, 2023 at 7:48 AM

Security Flaws On Moovit Might Have Given Hackers Free Rides And Customer Data

Hackers could have obtained unauthorized access to the user accounts of a leading transportation app, Moovit. According to cybersecurity researchers, hackers could have exploited this security flaw to secure free rides and access the personal information of people already registered on the app.

Hackers exploited flaws in the Moovit app to get free rides

A security researcher at SafeBreach, known as Omer Attias, detected the vulnerabilities in question. The researcher said he had detected three security flaws in the app that allowed him to collect user information. The vulnerabilities allowed Attias to gather the registration information of Moovit users globally.

Some of the details accessed by exploiting the flaws include the users’ cell phone numbers, email addresses, and home addresses. The flaws also allowed access to the last four digits of credit cards. The vulnerabilities also pose a danger to user accounts as they can be used to hijack the accounts and take over control.

If the security flaws were exploited, a hacker could also use the credit card details to pay for their rides. The possible exploits through these flaws might have been conducted without the target finding out. The only trace of the exploits is the unwanted charge on the user’s credit cards. According to Attias, the hack was “the perfect attack” as it was stealthy.

While speaking to TechCrunch, Attias noted that a hacker could take control of an account without having to shut down the account. Attias gave a speech at the Def Con hacking conference, sharing more details about these security vulnerabilities and their danger.

“We can fully impersonate accounts, without disconnecting them. It’s crazy, we actually have the ability to perform all the operations on behalf of different accounts, including ordering train tickets,” Attias said. “And additionally, we can access all of their personal information.”

The researcher also set up a custom interface to illustrate the effects of his detected security flaws. The custom interface enabled him to gain control over user accounts in just a few clicks. Attias said that he tested the potential impact of these vulnerabilities exclusively in Israel. However, he also noted that it was likely that the security flaws might have worked in other cities as the Moovit transportation app has a global presence.

Flaws were not exploited in the wild

Moovit is a startup transportation company based in Israel. Intel acquired the company in 2020 for $900 million. The startup has a solid presence across the transportation industry as it allows users to find routes as they view the maps available for public transportation systems.

The Moovit app also makes the transportation process easier by allowing users to purchase and use their tickets. Given this app’s convenience to everyday travelers, it is now being used globally. According to Moovit, the app is used by 1.7 billion riders in 3,500 cities. It also claims to be used across 112 countries.

The effect of these security flaws was massive, with the researchers from Moovit saying there was zero evidence that threat actors had detected and exploited the security bugs. According to Attias, he reported the security flaws to the company in September last year, and the company issued a patch to fix them.

A spokesperson from the company also noted that when Attias reported the flaw, the company was already aware and was in the process of providing a solution. The spokesperson said that the flaws had already been patched and no action was needed from the customers as they were no longer at risk.

The spokesperson also clarified that malicious actors did not exploit the security flaws to access customer data. Moreover, credit card data was not exposed, adding that the company does not store credit card information. The spokesperson also noted that the issues were only active in Israel.

The spokesperson also noted that SafeBreach had not taken advantage of customer data in or outside Israel while preparing their findings into the security flaws.

While responding to the comments made by Moovit, Attias noted that researchers at SafeBreach believed that the security vulnerabilities could have affected all customers and not just the ones in Israel. Attias also said that the API requests showed zero signs of a differentiator between customers based in Israel and the ones operating outside Israel.

Security Flaws On Moovit Might Have Given Hackers Free Rides And Customer Data
Article Name
Security Flaws On Moovit Might Have Given Hackers Free Rides And Customer Data
Security researchers have detected flaws in the Moovit transportation app. The security flaw could have allowed the hacker to obtain free rides and access the personal data of users. The security flaws have since been patched.
Publisher Name
Publisher Logo

Share this:

Related Stories:


Get the latest stories straight
into your inbox!


Discover more from KoDDoS Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading