Bugs in transportation app Moovit gave hackers free rides


Share post:

Hackers could have hijacked the user accounts of a popular transportation app and used them to get free rides and access people’s personal information, according to a security researcher.

Omer Attias, a security researcher at SafeBreach, said he found three vulnerabilities in the Moovit app, which allowed him to collect new Moovit user’s registration information from all over the world — including cell phone numbers, email addresses, home addresses, and the last four digits of credit cards. Worst of all, the bugs could have allowed him to take over other people’s accounts, and consequently their credit cards, to pay for his own rides.

This whole chain of exploits could have been performed without the target ever finding out, apart from seeing unwanted charges on their credit card. Attias called it “the perfect attack.”

“We can fully impersonate accounts, without disconnecting them. It’s crazy, we actually have the ability to perform all the operations on behalf of different accounts, including ordering train tickets,” Attias told TechCrunch in an interview ahead of his talk at the Def Con hacking conference in Las Vegas. “And additionally, we can access all of their personal information.”

To demonstrate the impact of the bugs he found, Attias created a custom interface that allowed him to take over other people’s accounts with a couple of taps. And while Attias said he tested his exploits only in Israel, he said he thinks it could have worked in other cities given that Moovit operates all over the world.

Moovit is an Israeli startup that was acquired by Intel in 2020 for $900 million. The app allows users to find routes and view public transportation systems’ maps, as well as to purchase and use tickets. The app and its underlying technology are widely used worldwide: Moovit claims to serve 1.7 billion riders in 3,500 cities across 112 countries.

While the impact of these vulnerabilities was potentially massive, Moovit said there is no evidence that malicious hackers found and exploited these bugs. Attias said that he reported all the bugs he found to the company in September 2022, and the company subsequently fixed them.

“Moovit was aware of and rectifying the issue when it was reported, and took immediate steps to finish correcting the issue,” Moovit spokesperson Sharon Kaslassi told TechCrunch. “The vulnerabilities have long since been fixed and no customer action is required. It’s important to note that no bad actors took advantage of these issues to access customer data. Additionally, no credit card information was exposed as Moovit and Moovit-Pango do not keep credit card information on file.”

Kaslassi also said that “ticketing service relevant to these findings is active in Israel only.”

“According to our records, neither Safebreach or anyone else took advantage of any customer data in or outside of Israel,” the spokesperson added.

In response to Moovit’s comments, Attias said that he and his colleagues “believe we could have charged any customer not limited to Israeli customers. We haven’t seen any differentiator between Israeli and non Israeli customers in their API requests.”

Read more from Black Hat:

Source link

Lisa Holden
Lisa Holden
Lisa Holden is a news writer for LinkDaddy News. She writes health, sport, tech, and more. Some of her favorite topics include the latest trends in fitness and wellness, the best ways to use technology to improve your life, and the latest developments in medical research.

Recent posts

Related articles

How much carbon pollution is in your product? Muir AI raises $3.25M seed to answer that question

Apple made some waves when it said that the newest Apple Watch would be carbon-neutral, which is...

Beams helps product teams shine a light on the work that matters most

Beams’ co-founders, Jana Schellong and Mihri Minaz, see a fundamental problem with how product teams work. While...

Eyeing vision-based autonomy for farm equipment, Bonsai Robotics raises $10.5M

One can’t accuse Bonsai Robotics of lacking focus. The Bay Area-based firm is starting with trees –...

Google Pixel Event 2023: How to stream the Pixel 8 reveal

The biggest question at this point is whether Google has any more surprises up its sleeve. The...

Humata AI summarizes and answers questions about your PDFs

Cyrus Khajvandi, a Stanford biology graduate and two-time entrepreneur, often found it challenging to stay on top...

Alpaca VC unveils two new investment vehicles, including its real estate roots

Alpaca VC closed on $78 million in commitments for its third fund and launched the new Alpaca...

India’s national logistics portal exposed sensitive personal data, trade records

India’s state-owned logistics portal has fixed misconfigurations and vulnerabilities that exposed sensitive personal data and various state...

Bird loses its NYSE wings, Uber gets tight with taxis and Tesla gets sued again for racial discrimination

The Station is a weekly newsletter dedicated to all things transportation. Sign up here — just click The Station —...