Share this article on:
An Intel-owned Israeli transport app was recently shown to have three vulnerabilities that could have led to customer data being stolen by malicious actors.
A security researcher revealed the flaws in the Moovit app, telling TechCrunch that the three vulnerabilities allowed him to access customer information from all over the world.
As well as being able to access addresses, phone numbers, and email details, SafeBreach’s Omer Attias said that he could even take over accounts and even make charges to other people’s credit cards.
The only hint anything was wrong would have been the extra charges on a customer’s credit card.
“We can fully impersonate accounts, without disconnecting them. It’s crazy; we actually have the ability to perform all the operations on behalf of different accounts, including ordering train tickets,” Attias told TechCrunch while presenting at the recent DEF CON hacking conference in Las Vegas. “And additionally, we can access all of their personal information.”
Attias only tested his access from Israel, but he is certain the exploit chain would allow malicious access in cities worldwide.
“Moovit was aware of and rectifying the issue when it was reported, and took immediate steps to finish correcting the issue,” a Moovit spokesperson told TechCrunch. “The vulnerabilities have long since been fixed, and no customer action is required. It’s important to note that no bad actors took advantage of these issues to access customer data. Additionally, no credit card information was exposed as Moovit and Moovit-Pango do not keep credit card information on file.”
Intel acquired Moovit in 2020 for an impressive US$900 million. The app lets users browse routes and public transport information, as well as purchase tickets. Moovit has 1.7 billion customers.
Comments powered by CComment