Bugs in the Moovit transit app gave hackers free rides
Hackers could have hijacked user accounts of a popular transportation app and used them to get free rides and access people's personal information, according to a security researcher.< /p>
Omer Attias, security researcher at SafeBreach, said he found three vulnerabilities in the Moovit app, which allowed him to collect registration information from new Moovit users around the world, including phone numbers. mobile phone, e-mail addresses, home addresses and the last four digits of credit cards. Worse still, the bugs could have allowed him to take over other people's accounts, and therefore their credit cards, to pay for his own rides.
This whole chain of exploits could have been accomplished without the target knowing about it, other than seeing unwanted charges to their credit card. Attias called it "the perfect attack".
"We can fully impersonate accounts, without disconnecting them. It's crazy, we actually have the ability to perform all operations on behalf of different accounts, including ordering train tickets ", Attias told TechCrunch in an interview before his speech at the Def Con hacking conference in Las Vegas. "And on top of that, we can access all of their personal information."
To demonstrate the impact of the bugs he found, Attias created a custom interface that allowed him to take control of other people's accounts with just a few clicks. And while Attias said he only tested his exploits in Israel, he said he thinks it could have worked in other cities given that Moovit operates globally. p>
Moovit is an Israeli startup that was acquired by Intel in 2020 for $900 million. The app allows users to find routes and view maps of public transport systems, as well as buy and use tickets. The app and its underlying technology are widely used around the world: Moovit claims to serve 1.7 billion passengers in 3,500 cities in 112 countries.
While the impact of these vulnerabilities is potentially massive, Moovit said there was no evidence that malicious hackers found and exploited these bugs. Attias said he reported all bugs he found to the company in September 2022, and the company then fixed them.
"Moovit was aware of and corrected the issue when reported, and took immediate action to complete the fix," Moovit spokesperson Sharon Kaslassi told TechCrunch. “The vulnerabilities have long since been patched and no customer action is required. Importantly, no malicious actors have taken advantage of these issues to gain access to customer data. Additionally, no credit card information was exposed as Moovit and Moovit-Pango do not maintain credit card information on file. »
Kaslassi also said that "the relevant ticketing service for these discoveries is only active in Israel".
"According to our records, neither Safebreach nor anyone else has taken advantage of customer data inside or outside of Israel," the spokesperson added.
In response to comments from Moovit, Attias said that he and his colleagues "believe that we could have charged any customer, not just Israeli customers. We saw no differentiators between Israeli customers and non-Israeli in their API requests."
Learn more about Black Hat:
Hackers could have hijacked user accounts of a popular transportation app and used them to get free rides and access people's personal information, according to a security researcher.< /p>
Omer Attias, security researcher at SafeBreach, said he found three vulnerabilities in the Moovit app, which allowed him to collect registration information from new Moovit users around the world, including phone numbers. mobile phone, e-mail addresses, home addresses and the last four digits of credit cards. Worse still, the bugs could have allowed him to take over other people's accounts, and therefore their credit cards, to pay for his own rides.
This whole chain of exploits could have been accomplished without the target knowing about it, other than seeing unwanted charges to their credit card. Attias called it "the perfect attack".
"We can fully impersonate accounts, without disconnecting them. It's crazy, we actually have the ability to perform all operations on behalf of different accounts, including ordering train tickets ", Attias told TechCrunch in an interview before his speech at the Def Con hacking conference in Las Vegas. "And on top of that, we can access all of their personal information."
To demonstrate the impact of the bugs he found, Attias created a custom interface that allowed him to take control of other people's accounts with just a few clicks. And while Attias said he only tested his exploits in Israel, he said he thinks it could have worked in other cities given that Moovit operates globally. p>
Moovit is an Israeli startup that was acquired by Intel in 2020 for $900 million. The app allows users to find routes and view maps of public transport systems, as well as buy and use tickets. The app and its underlying technology are widely used around the world: Moovit claims to serve 1.7 billion passengers in 3,500 cities in 112 countries.
While the impact of these vulnerabilities is potentially massive, Moovit said there was no evidence that malicious hackers found and exploited these bugs. Attias said he reported all bugs he found to the company in September 2022, and the company then fixed them.
"Moovit was aware of and corrected the issue when reported, and took immediate action to complete the fix," Moovit spokesperson Sharon Kaslassi told TechCrunch. “The vulnerabilities have long since been patched and no customer action is required. Importantly, no malicious actors have taken advantage of these issues to gain access to customer data. Additionally, no credit card information was exposed as Moovit and Moovit-Pango do not maintain credit card information on file. »
Kaslassi also said that "the relevant ticketing service for these discoveries is only active in Israel".
"According to our records, neither Safebreach nor anyone else has taken advantage of customer data inside or outside of Israel," the spokesperson added.
In response to comments from Moovit, Attias said that he and his colleagues "believe that we could have charged any customer, not just Israeli customers. We saw no differentiators between Israeli customers and non-Israeli in their API requests."
Learn more about Black Hat:
What's Your Reaction?
