Bugs in transportation app Moovit gave hackers free rides
Reading Time: 2 minutesHackers could have hijacked the user accounts of a popular transportation app and used them to get free rides and access people’s personal information, according to a security researcher.
Omer Attias, a security researcher at SafeBreach, said he found three vulnerabilities in the Moovit app, which allowed him to collect new Moovit user’s registration information from all over the world — including cell phone numbers, email addresses, home addresses, and the last four digits of credit cards. Worst of all, the bugs could have allowed him to take over other people’s accounts, and consequently their credit cards, to pay for his own rides.
This whole chain of exploits could have been performed without the target ever finding out, apart from seeing unwanted charges on their credit card. Attias called it ‘the perfect attack.’
To demonstrate the impact of the bugs he found, Attias created a custom interface that allowed him to take over other people’s accounts with a couple of taps. And while Attias said he tested his exploits only in Israel, he said he thinks it could have worked in other cities given that Moovit operates all over the world.
Moovit is an Israeli startup that was acquired by Intel in 2020 for $900 million. The app allows users to find routes and view public transportation systems’ maps, as well as to purchase and use tickets. The app and its underlying technology are widely used worldwide: Moovit claims to serve 1.7 billion riders in 3,500 cities across 112 countries.
While the impact of these vulnerabilities was potentially massive, Moovit said there is no evidence that malicious hackers found and exploited these bugs. Attias said that he reported all the bugs he found to the company in September 2022, and the company subsequently fixed them.
Kaslassi also said that ‘ticketing service relevant to these findings is active in Israel only.’
‘According to our records, neither Safebreach or anyone else took advantage of any customer data in or outside of Israel,’ the spokesperson added.
In response to Moovit’s comments, Attias said that he and his colleagues ‘believe we could have charged any customer not limited to Israeli customers. We haven’t seen any differentiator between Israeli and non Israeli customers in their API requests.’
Read more from Black Hat:
- How the FBI goes after DDoS cyberattackers
- Researchers watched 100 hours of hackers hacking honeypot computers
- Researchers jailbreak a Tesla to get free in-car feature upgrades
Reference: https://techcrunch.com/2023/08/13/moovit-transportation-app-moovit-hackers-free-rides/
Ref: techcrunch
MediaDownloader.net -> Free Online Video Downloader, Download Any Video From YouTube, VK, Vimeo, Twitter, Twitch, Tumblr, Tiktok, Telegram, TED, Streamable, Soundcloud, Snapchat, Share, Rumble, Reddit, PuhuTV, Pinterest, Periscope, Ok.ru, MxTakatak, Mixcloud, Mashable, LinkedIn, Likee, Kwai, Izlesene, Instagram, Imgur, IMDB, Ifunny, Gaana, Flickr, Febspot, Facebook, ESPN, Douyin, Dailymotion, Buzzfeed, BluTV, Blogger, Bitchute, Bilibili, Bandcamp, Akıllı, 9GAG