Hackers potentially had the opportunity to seize control of user accounts within a popular transportation Moovit App, utilizing them for complimentary rides and unauthorized access to individuals personal data, according to revelations from a cybersecurity analyst.
Omer Attias, a researcher at SafeBreach, unveiled the discovery of three vulnerabilities within the Moovit app. These security loopholes allowed Attias to gather registration information of new Moovit users globally, encompassing phone numbers, email addresses, residential details, and the last four digits of credit cards. The most concerning aspect was the potential for unauthorized takeover of other users’ accounts, consequently facilitating the use of their credit cards for his own benefit.
This entire sequence of exploitations could have been executed without the target’s knowledge, barring the occurrence of unanticipated charges on their credit card statement. Attias dubbed this intricate maneuver as the “perfect attack.”
Attias elaborated in an interview with TechCrunch prior to his presentation at the Def Con hacking conference in Las Vegas, stating, “We can entirely replicate accounts without triggering their disconnection. Remarkably, we have the capability to perform all account-related actions for various users, including purchasing train tickets. Additionally, we can access the entirety of their personal data.”
In a demonstration illustrating the gravity of these identified vulnerabilities, Attias developed a specialized interface, allowing him to commandeer others’ accounts with a mere couple of clicks. While Attias restricted his testing to Israel, he speculated that the same techniques could be applicable to other metropolises due to Moovit’s global presence.
Moovit, an Israeli startup acquired by Intel in 2020 for $900 million, operates an app that facilitates route planning, public transportation map access, ticket procurement, and usage. The technology has garnered widespread global use, catering to 1.7 billion riders in 3,500 cities across 112 countries.
Although the potential repercussions stemming from these security gaps were substantial, Moovit assured that no evidence existed of malicious hackers capitalizing on these vulnerabilities. Attias reported his discoveries to the company in September 2022, leading to their subsequent resolution.
Moovit spokesperson Sharon Kaslassi affirmed, “Moovit was aware of and rectifying the issue when it was reported, and took immediate steps to finish correcting the issue. The vulnerabilities have long since been fixed and no customer action is required. It’s important to note that no bad actors took advantage of these issues to access customer data. Additionally, no credit card information was exposed as Moovit and Moovit-Pango do not keep credit card information on file.”
Kaslassi emphasized that the “ticketing service relevant to these findings is active in Israel only.”
In response, Attias contested Moovit’s statements, suggesting that he and his colleagues “believe we could have charged any customer not limited to Israeli customers. We haven’t seen any differentiator between Israeli and non-Israeli customers in their API requests.”
