There are a lot of apps that require private information in order to provide its services such as social media and transportation apps. The problem is, these apps sometimes lack the proper security measures to protect customer data, which can be dangerous for its users. Moovit, it appears, is among those apps.
Moovit Bug Exploited
A security researcher at SafeBreach, Omer Attias found three vulnerabilities within the Moovit apps's system which could've been easily exploited by bad actors. Through the bug, hackers would've been able to use other accounts to pay for their rides.
The flaw would allow threat actors to collect sensitive information such as phone numbers, email addresses, home addresses, and partial credit card numbers, as reported by Tech Crunch. These data can be obtained without the owner knowing about it.
The only sign that the victims would notice is the irregular charges on their accounts. Attias calls it "the perfect attack" since they can impersonate accounts without disconnecting them. They were able to operate "on behalf of different accounts" which include ordering train tickets.
Attias demonstrated his findings by creating a custom interface that gave him the ability to take over user accounts easily. The security researcher only tried the exploit out in Isreal, but said that it could've worked in the other countries Moovit operated in.
The company admitted that the vulnerabilities were very dangerous, although they claim that there has been no evidence that hackers found the bugs and exploited them. Attias already informed Moovit of the flaws and they have already been fixed.
Moovit spokesperson Sharon Kaslassi also stated that the company is already "aware of and rectifying the issue when it was reported." The vulnerabilities have since been fixed and no bad actors were able to access customer data at the time.
In addition to that, Kaslassi also clarified that the ticketing services affected in the demonstration were only active in Israel. Moovit's records show that no one else, not even SafeBreach, took advantage of the customer data that can be accessed through the exploit.
Why It's a Big Deal
If the exploit was not found by a security researcher first, things could've been a lot worse for the company. According to DMR, the app has over 950 million users in 3,000 cities across 100 countries. That's a lot of private that could've been stolen.
A lot of user accounts could've been used to pay for other people's fees. The more serious threat would've been the bad actor's access to certain information, which could be used for fraudulent activities that can be directed at the user.
Names, home addresses, email addresses, and phone numbers are all threat actors to conduct phishing attacks, wherein they will send infected links in order to gain access to more private data other than the given.
With users close to a billion, it would've been a nightmare for the company to contain such incidents. Luckily for them, they were able to fix the vulnerabilities before hackers even discovered the bug.