A potential security breach in a widely-used mobility app, Moovit, could have enabled hackers to not only secure free rides but also gain access to users’ personal information, according to a security researcher.
Founded in Israel, Moovit was acquired by Intel in 2020 for a staggering $900 million. The app serves as a platform for users to plan routes, view public transportation maps, and even purchase and utilize tickets. The company boasts an extensive global reach, serving a user base of 1.7 billion riders across 112 countries in 3,500 cities.
Omer Attias, from SafeBreach, revealed the discovery of three vulnerabilities within the Moovit app. These flaws could have been exploited to gather the registration data of new Moovit users globally, including sensitive details like phone numbers, email addresses, home addresses, and the last four digits of credit cards.
Most concerning was the potential for these vulnerabilities to facilitate account takeover, allowing hackers to utilize others’ credit cards for their travel expenses.
The attack unveiled
Attias, describing this chain of exploits as a seamless attack, highlighted the gravity of the situation. “We can fully impersonate accounts, without disconnecting them. It’s crazy; we can perform all the operations on behalf of different accounts, including ordering train tickets,” Attias said. “And additionally, we can access all of their personal information.”
In a demonstration, Attias displayed how he was able to commandeer other users’ accounts using a custom interface he developed. While the researcher’s tests were conducted solely in Israel, he surmised that the vulnerabilities might have been effective in other locations, given Moovit’s worldwide operational presence.
Taking power back
Despite the potentially far-reaching consequences of these vulnerabilities, Moovit has asserted that there is no indication of malicious hackers exploiting the bugs.
Attias reported his findings to the company in September 2022. Subsequently, the company acted promptly to rectify the situation.
Moovit spokesperson Sharon Kaslassi understands that this vulnerability needed immediate attention, “Moovit was aware of and rectifying the issue when it was reported, and took immediate steps to finish correcting the issue. The vulnerabilities have long since been fixed and no customer action is required. It’s important to note that no bad actors took advantage of these issues to access customer data. Additionally, no credit card information was exposed as Moovit and Moovit-Pango do not keep credit card information on file.”
It’s time to Moovit
When developing an app that’s destined for the consumer market – or any app, it’s important to consider a few key security objectives. We caught up with Locate2u’s Head of Mobile, Peter Smyth King for a more detailed look at what Moovit could have considered.
“Moovit was storing a lot of critical personal information and should have put more emphasis on security during the app design process. On a positive note, they acted quickly to rectify the security issue as they do understand the devastating impact a security hole can have,” King explained.
In addition to acting promptly when a vulnerability becomes clear, King believes there are a few key security concerns to keep in mind when developing an app.
- Developers should attempt to adhere to data minimization principles, collecting only essential data for app functionality and refraining from unnecessary personal information.
- Employ encryption techniques for data security during transmission and storage, using Transport Layer Security and encryption algorithms.
- Implement robust authentication, including multi-factor authentication, ensure secure APIs through authentication and rate limiting, and
- Conduct regular security audits and maintenance to identify and address vulnerabilities.
Share this article
About the author
Marce has contributed tech to various prominent publications since 2018, offering a transparent perspective into the tech industry and its effects on its users. She now spends her time developing insightful content for industry players. You know, when she's not gaming or geeking out about the latest fad.
