Mobility app Moovit vulnerabe, exposes user data and enables free rides
Learn More
A combination of vulnerabilities have been identified in Moovit, a widely-used mobility app. Moovit, originally founded in Israel and later acquired by Intel in 2020 for a significant $900 million, serves as a comprehensive platform for users to plan routes, access public transportation maps, and even buy and use tickets.
With a vast global presence, the app caters to a user base of 1.7 billion riders spanning 112 countries and 3,500 cities.
Security researchers have uncovered three vulnerabilities within the Moovit app. Exploiting these vulnerabilitues could enable hackers not only to
- obtain free rides
- gain unauthorized access to users' personal information.
The potentially compromised data includes registration details of new Moovit users worldwide, encompassing sensitive details such as phone numbers, email addresses, home addresses, and the last four digits of credit cards.
The vulnerabilities enable the attacker to execute account takeovers, allowing malicious actors to misuse others' credit cards for their own travel expenses.
The security researchers have described the sequence of exploiting the vulnerabilities as a seamless attack to fully impersonate accounts, perform all the operations on behalf of different accounts, including ordering train tickets.
Moovit has emphasized that there is no evidence of malicious hackers having exploited the flaws. The vulnerabilities were reportedto the company in September 2022, prompting quick action to address the situation.
Moovit acknowledged the urgency and confirmed that vulnerabilities have long since been fixed and no customer action is required. It seems that no bad actors took advantage of these issues to access customer data.
