Security researcher finds vulnerabilities in popular transportation app Moovit

Moovit, an Israeli start-up acquired by Intel in 2020 for $900m.

A security researcher at SafeBreach has discovered three vulnerabilities in the Moovit transportation app, which could have allowed hackers to collect new Moovit users' registration information including cell phone numbers, email addresses, home addresses, and the last four digits of credit cards. The hacker could also have taken over other people’s accounts to pay for their own rides, albeit potentially without the targets ever realising beyond seeing unwanted charges on their credit card. Omer Attias demonstrated the effect of the bugs by creating a custom interface that allowed him to take over other people’s accounts via a couple of taps. Moovit, an Israeli start-up acquired by Intel in 2020 for $900m. It is widely used in 3,500 cities across 112 countries.

 It allows users to purchase and use tickets, as well as to find and view public transportation systems’ maps. Moovit-Pango, the ticketing service relevant to the vulnerabilities found by SafeBreach, is, however, active in Israel only, the company said, adding that the vulnerabilities had been fixed and that there was no evidence of any malicious exploitation of them. Attias reported the bugs he found to the company in September 2022 and they have since been fixed. Moovit said there was no evidence that malicious hackers found and exploited the vulnerabilities. The company also noted that no credit card information was exposed as Moovit and Moovit-Pango do not keep such information on file.