Hackers could have hijacked the user accounts of a popular transportation app and used them to get free rides and access people’s personal information, according to a security researcher.
Omer Attias, a security researcher at SafeBreach, said he found three vulnerabilities in the Moovit app that allowed him to collect new Moovit user’s registration information from all over the world — including cell phone numbers, email addresses, home addresses, and the last four digits of credit cards. Worst of all, the bugs could have allowed him to take over other people’s accounts, and consequently their credit cards, to pay for his own rides.
This whole chain of exploits could have been performed without the target ever finding out, apart from seeing unwanted charges on their credit card. Attias called it “the perfect attack.”
“We can fully impersonate accounts, without disconnecting them. It’s crazy, we actually have the ability to perform all the operations on behalf of different accounts, including ordering train tickets,” Attias told TechCrunch in an interview ahead of his talk at the Def Con hacking conference in Las Vegas. “And additionally, we can access all of their personal information.”
To demonstrate the impact of the bugs he found, Attias created a custom interface that allowed him to take over other people’s accounts with a couple of taps. And while Attias said he tested his exploits only in Israel, he said he thinks it could have worked in other cities given that Moovit operates all over the world.
Moovit is an Israeli startup that was acquired by Intel in 2020 for $900 million. The app allows users to find routes and view public transportation systems’ maps, as well as to purchase and use tickets. The app and its underlying technology are widely used worldwide: Moovit claims to serve 1.7 billion riders in 3,500 cities across 112 countries.
While the impact of these vulnerabilities was potentially massive, Moovit said there is no evidence that malicious hackers found and exploited these bugs. Attias said that he reported all the bugs he found to the company in September 2022, and the company subsequently fixed them.
“Moovit was aware of and rectifying the issue when it was reported, and took immediate steps to finish correcting the issue,” Moovit spokesperson Sharon Kaslassi told TechCrunch. “The vulnerabilities have long since been fixed and no customer action is required. It’s important to note that no bad actors took advantage of these issues to access customer data. Additionally, no credit card information was exposed as Moovit and Moovit-Pango do not keep credit card information on file.”
Kaslassi also said that “ticketing service relevant to these findings is active in Israel only.”
“According to our records, neither Safebreach nor anyone else took advantage of any customer data in or outside of Israel,” the spokesperson added.
In response to Moovit’s comments, Attias said that he and his colleagues “believe we could have charged any customer not limited to Israeli customers. We haven’t seen any differentiator between Israeli and non-Israeli customers in their API requests.”
Read more from Black Hat: