Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,511
- Points
- 113
Vulnerabilities in the popular Moovit transport app have compromised the data of a billion passengers.
Omer Attias, a security specialist at SafeBreach, has identified three vulnerabilities in the Moovit transportation app. The bugs he found allowed him to obtain registration data for new users from around the world, including mobile phone numbers, email addresses, home addresses, and the last four digits of credit cards. Moreover, he managed to take over the accounts of other people and use them to pay for his trips.
Attias calls this type of attack "perfect" because the victim is not even aware of it.
To demonstrate the vulnerabilities, the researcher created his own interface that made it easy to manage other people's accounts with just a few clicks. Although the experiments were carried out in Israel, Attias believes that similar attacks could work in other countries.
Moovit is an Israeli startup company acquired by Intel in 2020 for $900 million. The application allows users to find routes and view public transport maps, as well as buy and use tickets. It serves 1.7 billion passengers in 3,500 cities in 112 countries, according to Moovit.
While the impact of the vulnerabilities found was potentially huge, Moovit said there is no evidence that attackers found and exploited these bugs.
Attias claims that he reported all the vulnerabilities he found to the company in September 2022, and Moovit subsequently fixed them.
Moovit spokesperson Sharon Kaslassi points out that the bugs did not disclose credit card information, as the company does not store such data.
Omer Attias, a security specialist at SafeBreach, has identified three vulnerabilities in the Moovit transportation app. The bugs he found allowed him to obtain registration data for new users from around the world, including mobile phone numbers, email addresses, home addresses, and the last four digits of credit cards. Moreover, he managed to take over the accounts of other people and use them to pay for his trips.
Attias calls this type of attack "perfect" because the victim is not even aware of it.
To demonstrate the vulnerabilities, the researcher created his own interface that made it easy to manage other people's accounts with just a few clicks. Although the experiments were carried out in Israel, Attias believes that similar attacks could work in other countries.
Moovit is an Israeli startup company acquired by Intel in 2020 for $900 million. The application allows users to find routes and view public transport maps, as well as buy and use tickets. It serves 1.7 billion passengers in 3,500 cities in 112 countries, according to Moovit.
While the impact of the vulnerabilities found was potentially huge, Moovit said there is no evidence that attackers found and exploited these bugs.
Attias claims that he reported all the vulnerabilities he found to the company in September 2022, and Moovit subsequently fixed them.
Moovit spokesperson Sharon Kaslassi points out that the bugs did not disclose credit card information, as the company does not store such data.
