A potential security breach has been identified in the popular transportation app Moovit, which could have granted hackers access to user accounts, personal information, and even enabled them to enjoy free rides, according to Omer Attias, a security researcher at SafeBreach.
Attias uncovered three vulnerabilities within the Moovit app, through which he could collect registration information of new Moovit users globally. This sensitive data included cell phone numbers, email addresses, home addresses, and the last four digits of credit cards. The gravity of the situation lies in the fact that these vulnerabilities could have facilitated the hacker’s takeover of other users’ accounts, allowing them to utilize their credit cards to pay for their own rides.
What Makes This Vulnerability Distinct
Attias labeled this sequence of vulnerabilities “the perfect attack,” as it could have remained undetected by the victims, with only unusual charges on their credit cards as a potential indicator. Attias further explained that these exploits could enable hackers to impersonate accounts seamlessly, carry out various actions on behalf of the users, and access their personal information, creating a disconcerting level of intrusion.
Attias’s Testing and Insights
To underscore the impact of these vulnerabilities, Attias created a customized interface that could take over other users’ accounts with just a few taps. Although Attias confined his testing to Israel, where Moovit operates, he postulated that these vulnerabilities could have been exploited in other cities as well, given the app’s global reach.
Moovit: A Widely Used App with Global Reach
Moovit, an Israeli startup, was acquired by Intel in 2020 for $900 million. Its app is widely used across the globe, serving 1.7 billion riders in 3,500 cities across 112 countries. The app enables users to access public transportation maps, routes, and even purchase tickets.
Prompt Response and Resolution
Attias responsibly reported the identified vulnerabilities to Moovit in September 2022. The company swiftly addressed the issues, indicating their commitment to user security. Moovit’s spokesperson, Sharon Kaslassi, emphasized that the vulnerabilities had been fixed, customer data remained uncompromised, and there was no evidence of malicious exploitation of these bugs.
The Power of Responsible Disclosure
This incident highlights the importance of responsible disclosure in cybersecurity. The researcher’s efforts to bring these vulnerabilities to Moovit’s attention ensured that corrective measures were taken swiftly, safeguarding users from potential data breaches and unauthorized access. In a digital age riddled with security threats, the cooperation between researchers and companies plays a pivotal role in maintaining the integrity of users’ personal information and securing their digital experiences.
