[ad_1]
Hackers might have hijacked the consumer accounts of a well-liked transportation app and used them to get free rides and entry individuals’s private info, based on a safety researcher.
Omer Attias, a safety researcher at SafeBreach, mentioned he discovered three vulnerabilities within the Moovit app, which allowed him to gather new Moovit consumer’s registration info from all around the world — together with cellphone numbers, electronic mail addresses, house addresses, and the final 4 digits of bank cards. Worst of all, the bugs might have allowed him to take over different individuals’s accounts, and consequently their bank cards, to pay for his personal rides.
This complete chain of exploits might have been carried out with out the goal ever discovering out, aside from seeing undesirable prices on their bank card. Attias known as it “the proper assault.”
“We will absolutely impersonate accounts, with out disconnecting them. It’s loopy, we even have the power to carry out all of the operations on behalf of various accounts, together with ordering practice tickets,” Attias instructed TechCrunch in an interview forward of his discuss on the Def Con hacking conference in Las Vegas. “And moreover, we will entry all of their private info.”
To display the impression of the bugs he discovered, Attias created a customized interface that allowed him to take over different individuals’s accounts with a few faucets. And whereas Attias mentioned he examined his exploits solely in Israel, he mentioned he thinks it might have labored in different cities provided that Moovit operates all around the world.
Moovit is an Israeli startup that was acquired by Intel in 2020 for $900 million. The app permits customers to search out routes and consider public transportation programs’ maps, in addition to to buy and use tickets. The app and its underlying expertise are extensively used worldwide: Moovit claims to serve 1.7 billion riders in 3,500 cities throughout 112 nations.
Whereas the impression of those vulnerabilities was probably huge, Moovit mentioned there isn’t a proof that malicious hackers discovered and exploited these bugs. Attias mentioned that he reported all of the bugs he discovered to the corporate in September 2022, and the corporate subsequently fastened them.
“Moovit was conscious of and rectifying the problem when it was reported, and took instant steps to complete correcting the problem,” Moovit spokesperson Sharon Kaslassi instructed TechCrunch. “The vulnerabilities have lengthy since been fastened and no buyer motion is required. It’s vital to notice that no dangerous actors took benefit of those points to entry buyer knowledge. Moreover, no bank card info was uncovered as Moovit and Moovit-Pango don’t preserve bank card info on file.”
Kaslassi additionally mentioned that “ticketing service related to those findings is energetic in Israel solely.”
“Based on our data, neither Safebreach or anybody else took benefit of any buyer knowledge in or exterior of Israel,” the spokesperson added.
In response to Moovit’s feedback, Attias mentioned that he and his colleagues “imagine we might have charged any buyer not restricted to Israeli prospects. We haven’t seen any differentiator between Israeli and non Israeli prospects of their API requests.”
Learn extra from Black Hat:
[ad_2]
