Moovit: One App, Billions of Passengers, Hacker’s Data

Omer Attias, a Security Specialist from Safebreach, has uncovered three vulnerabilities in Moovit, the application for transport services. These errors allowed Attias to access data from new user registrations worldwide, including mobile phone numbers, email addresses, home addresses, and the last four digits of credit cards. Additionally, he was able to hijack other people’s accounts and use them to pay for his own trips. Attias refers to this type of attack as “ideal” because the victim remains unaware.

In order to demonstrate the vulnerabilities, Attias created his own interface that enabled easy manipulation of other people’s accounts with just a few clicks. Although these experiments were conducted in Israel, Attias believes that similar attacks could work in other countries as well.

Moovit, an Israeli startup acquired by Intel for $900 million in 2020, offers users the ability to find routes, view public transport cards, and purchase and use tickets. According to Moovit, the application serves 1.7 billion passengers in 3,500 cities across 112 countries.

Despite the potentially significant impact of these vulnerabilities, Moovit stated that there is no evidence of the attackers exploiting these errors.

Attias claims that he reported all the vulnerabilities he discovered to the company in September 2022, and Moovit subsequently addressed them.

Sharon Kaslavsi, a representative from Moovit, emphasizes that the bugs did not expose credit card information since the company does not store such data.

/Reports, release notes, official announcements.