Hackers may have hijacked the consumer accounts of a well-liked transportation app and used them to get free rides and entry folks’s private data, in keeping with a safety researcher.
Omer Attias, a safety researcher at SafeBreach, stated he discovered three vulnerabilities in the Moovit app, which allowed him to gather new Moovit consumer’s registration data from everywhere in the world — together with mobile phone numbers, e mail addresses, house addresses, and the final 4 digits of bank cards. Worst of all, the bugs may have allowed him to take over different folks’s accounts, and consequently their bank cards, to pay for his personal rides.
This complete chain of exploits may have been carried out with out the goal ever discovering out, other than seeing undesirable costs on their bank card. Attias known as it “the perfect attack.”
“We can fully impersonate accounts, without disconnecting them. It’s crazy, we actually have the ability to perform all the operations on behalf of different accounts, including ordering train tickets,” Attias advised TechCrunch in an interview forward of his speak on the Def Con hacking conference in Las Vegas. “And additionally, we can access all of their personal information.”
To display the influence of the bugs he discovered, Attias created a customized interface that allowed him to take over different folks’s accounts with a few faucets. And whereas Attias stated he examined his exploits solely in Israel, he stated he thinks it may have labored in different cities provided that Moovit operates everywhere in the world.
Moovit is an Israeli startup that was acquired by Intel in 2020 for $900 million. The app permits customers to search out routes and think about public transportation techniques’ maps, in addition to to buy and use tickets. The app and its underlying know-how are broadly used worldwide: Moovit claims to serve 1.7 billion riders in 3,500 cities throughout 112 nations.
While the influence of those vulnerabilities was doubtlessly large, Moovit stated there isn’t any proof that malicious hackers discovered and exploited these bugs. Attias stated that he reported all of the bugs he discovered to the corporate in September 2022, and the corporate subsequently fastened them.
“Moovit was aware of and rectifying the issue when it was reported, and took immediate steps to finish correcting the issue,” Moovit spokesperson Sharon Kaslassi advised TechCrunch. “The vulnerabilities have long since been fixed and no customer action is required. It’s important to note that no bad actors took advantage of these issues to access customer data. Additionally, no credit card information was exposed as Moovit and Moovit-Pango do not keep credit card information on file.”
Kaslassi additionally stated that “ticketing service relevant to these findings is active in Israel only.”
“According to our records, neither Safebreach or anyone else took advantage of any customer data in or outside of Israel,” the spokesperson added.
In response to Moovit’s feedback, Attias stated that he and his colleagues “believe we could have charged any customer not limited to Israeli customers. We haven’t seen any differentiator between Israeli and non Israeli customers in their API requests.”
Read extra from Black Hat: