Skip to content

Moovit app bug allows hackers to secure free rides


Safety researchers uncover vulnerabilities inside the Moovit app

Hackers could possibly exploit private accounts on their favourite transit app, Moovit, and get free rides, together with entry to delicate info, in accordance with safety researcher Omar Atias. Atias found three vulnerabilities inside the app that allowed them to extract registration info for brand new Moovit prospects worldwide, together with telephone numbers, e-mail addresses, residential addresses and the final 4 digits of financial institution playing cards. Moreover, the bugs would undoubtedly have allowed Atias to take over numerous buyer accounts, giving him entry to their monetary establishment enjoying playing cards to acquire funds.

Atias’ discoveries and masterful assaults

Atias stated the complete assortment of exploits might have been accomplished with out the targets’ knowledge, and as soon as they found unauthorized costs on their bank card particulars. He described this submit as the true assault as a result of his approach allowed him to totally impersonate with out disconnecting accounts. This meant he had the flexibleness to conduct all transactions on behalf of the assorted accounts, together with ordering rehearsal tickets and accessing all of their personal info.

extent of weaknesses

To point out the impression of these bugs, Atias developed a bespoke interface that allowed him to handle numerous folks’s accounts with just some faucets. Though Atias has solely reviewed his companies in Israel, he believes they are going to be worthwhile in different cities as effectively, supplied Moovit operates globally. The app, acquired by Intel in 2020 for $900 million, is in widespread use all over the world, serving 1.7 billion riders in 3,500 cities throughout 112 worldwide places.

Moovit’s response and dedication

Moovit stated there isn’t any proof that malicious hackers found and exploited these vulnerabilities. Atias reported all discovered bugs to the corporate in September 2022, they often mounted and stuck the problems instantly. Moovit spokeswoman Sharon Kaslasi identified that the vulnerabilities are already in place and no purchaser occasion is required. Moreover, Kaslasi confounded that no unauthorized particular person exploited the vulnerabilities to entry shopper knowledge, and bank card knowledge shouldn’t be saved by Moovit or its companion Moovit-Pango. Kaslasi additionally stated that the ticketing service talked about within the outcomes is lively in Israel.


The vulnerabilities found by safety researcher Omar Atias inside the Moovit app make clear the potential threats confronted by prospects of standard transit apps. Whereas Moovit has assured its prospects that the problems have been resolved and no malicious practices have been detected, the incident urges prospects to be vigilant and regularly exchange its apps to verify their personal info is secure. It serves as a reminder to do.

Incessantly Requested Questions (FAQ)

1. What vulnerabilities did Omar Atias uncover inside the Moovit app?

Omar Atias found three vulnerabilities inside the Moovit app that allowed him to gather current buyer registration info, together with telephone numbers, e-mail addresses, residential addresses and the final 4 digits of financial institution playing cards. These vulnerabilities additionally gave him the flexibility to take over different buyer accounts and enter their bank card info for his private buy.

2. Was this the suitable assault described by Atias?

In line with Omar Atias, this assortment of exploits might have been executed with out issues with out the goal being conscious of it, aside from unauthorized costs on his bank card. Atias identified that he might absolutely impersonate accounts and carry out quite a lot of operations on behalf of assorted accounts, equivalent to ordering rehearsal tickets, accessing their personal info. That is why he referred to as it an actual assault.

3. How widespread is the impression of those vulnerabilities?

Whereas Atias has solely reviewed its ventures in Israel, he believes they may work in different cities the place Moovit operates. Moovit is an app used worldwide, serving 1.7 billion customers in 3,500 cities in 112 worldwide places.

4. What motion has Moovit taken to handle the vulnerabilities?

Atias reported all detected bugs to Moovit in September 2022 and the corporate shortly mounted the problems. Moovit has assured its prospects that the vulnerabilities have been fitted and no purchaser occasion is required. In addition they confused that no purchaser info has been accessed by unauthorized individuals and that bank card info shouldn’t be saved on the doc by Moovit or Moovit-Pango.

5. Are Moovit companies outdoors of Israel?

In line with a Moovit spokesperson, the ticketing service related to the vulnerabilities is just lively in Israel. He added that there have been no tales of purchaser info being exploited, both inside or outdoors Israel.

Please see this hyperlink for extra info


To entry extra info, kindly consult with the next link