Mon - Fri 24 hours

Moovit mobility app bug offered hackers free rides

A potential security breach in a widely-used mobility app, Moovit, could have enabled hackers to not only secure free rides but also gain access to users' personal information, according to a security researcher.
A potential security breach in a widely-used mobility app, Moovit, could have enabled hackers to not only secure free rides but also gain access to users' personal information, according to a security researcher.
Share this article

A potential security breach in a widely-used mobility app, Moovit, could have enabled hackers to not only secure free rides but also gain access to users’ personal information, according to a security researcher.

Founded in Israel, Moovit was acquired by Intel in 2020 for a staggering $900 million. The app serves as a platform for users to plan routes, view public transportation maps, and even purchase and utilize tickets. The company boasts an extensive global reach, serving a user base of 1.7 billion riders across 112 countries in 3,500 cities.

Omer Attias, from SafeBreach, revealed the discovery of three vulnerabilities within the Moovit app. These flaws could have been exploited to gather the registration data of new Moovit users globally, including sensitive details like phone numbers, email addresses, home addresses, and the last four digits of credit cards. 

Most concerning was the potential for these vulnerabilities to facilitate account takeover, allowing hackers to utilize others’ credit cards for their travel expenses.

The attack unveiled

Attias, describing this chain of exploits as a seamless attack, highlighted the gravity of the situation. “We can fully impersonate accounts, without disconnecting them. It’s crazy; we can perform all the operations on behalf of different accounts, including ordering train tickets,” Attias said. “And additionally, we can access all of their personal information.”

In a demonstration, Attias displayed how he was able to commandeer other users’ accounts using a custom interface he developed. While the researcher’s tests were conducted solely in Israel, he surmised that the vulnerabilities might have been effective in other locations, given Moovit’s worldwide operational presence.

Taking power back

Despite the potentially far-reaching consequences of these vulnerabilities, Moovit has asserted that there is no indication of malicious hackers exploiting the bugs. 

Attias reported his findings to the company in September 2022. Subsequently, the company acted promptly to rectify the situation.

Moovit spokesperson Sharon Kaslassi understands that this vulnerability needed immediate attention, “Moovit was aware of and rectifying the issue when it was reported, and took immediate steps to finish correcting the issue. The vulnerabilities have long since been fixed and no customer action is required. It’s important to note that no bad actors took advantage of these issues to access customer data. Additionally, no credit card information was exposed as Moovit and Moovit-Pango do not keep credit card information on file.”

It’s time to Moovit

When developing an app that’s destined for the consumer market – or any app, it’s important to consider a few key security objectives. We caught up with Locate2u’s Head of Mobile, Peter Smyth King for a more detailed look at what Moovit could have considered. 

“Moovit was storing a lot of critical personal information and should have put more emphasis on security during the app design process. On a positive note, they acted quickly to rectify the security issue as they do understand the devastating impact a security hole can have,” King explained. 

In addition to acting promptly when a vulnerability becomes clear, King believes there are a few key security concerns to keep in mind when developing an app. 

  • Developers should attempt to adhere to data minimization principles, collecting only essential data for app functionality and refraining from unnecessary personal information. 
  • Employ encryption techniques for data security during transmission and storage, using Transport Layer Security and encryption algorithms. 
  • Implement robust authentication, including multi-factor authentication, ensure secure APIs through authentication and rate limiting, and 
  • Conduct regular security audits and maintenance to identify and address vulnerabilities.

About the author

Share this article

L2u Online Store - Logo

Your message has been sent.

Someone from our support team will reply to your inquiry within 24 hours.

Capterra Pixel