Vulnerabilities in the popular transport app Moovit have created a threat to the data of a billion passengers.
Omer Attias, a security specialist at SafeBreach, identified three vulnerabilities in the Moovit transport services app. The bugs found allowed it to get new users registration data from all over the world, including mobile phone numbers, email addresses, home addresses, and the last four digits of credit cards. Moreover, he managed to take over other people's accounts and use them to pay for his trips.
Attias calls this type of attack "perfect", since the victim does not even know about it.
To demonstrate the vulnerabilities, the researcher created his own interface that made it easy to manage other people's accounts with just a few clicks. Although the experiments were conducted in Israel, Attias believes that similar attacks could work in other countries.
Moovit is an Israeli startup company acquired by Intel in 2020 for $900 million. The app allows users to find routes and view public transport maps, as well as buy and use tickets. According to Moovit, it serves 1.7 billion passengers in 3,500 cities in 112 countries.
While the impact of the vulnerabilities found was potentially huge, Moovit said there is no evidence that attackers found and exploited these bugs.
Attias claims that he reported all the vulnerabilities he found to the company in September 2022, and Moovit subsequently patched them.
A Moovit spokesperson, Sharon Kaslassy, emphasizes that the bugs did not disclose credit card information, as the company does not store such data.
Omer Attias, a security specialist at SafeBreach, identified three vulnerabilities in the Moovit transport services app. The bugs found allowed it to get new users registration data from all over the world, including mobile phone numbers, email addresses, home addresses, and the last four digits of credit cards. Moreover, he managed to take over other people's accounts and use them to pay for his trips.
Attias calls this type of attack "perfect", since the victim does not even know about it.
To demonstrate the vulnerabilities, the researcher created his own interface that made it easy to manage other people's accounts with just a few clicks. Although the experiments were conducted in Israel, Attias believes that similar attacks could work in other countries.
Moovit is an Israeli startup company acquired by Intel in 2020 for $900 million. The app allows users to find routes and view public transport maps, as well as buy and use tickets. According to Moovit, it serves 1.7 billion passengers in 3,500 cities in 112 countries.
While the impact of the vulnerabilities found was potentially huge, Moovit said there is no evidence that attackers found and exploited these bugs.
Attias claims that he reported all the vulnerabilities he found to the company in September 2022, and Moovit subsequently patched them.
A Moovit spokesperson, Sharon Kaslassy, emphasizes that the bugs did not disclose credit card information, as the company does not store such data.
