Hackers took advantage of flaws in ride-hailing app, booked free rides  | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker

A major security flaw in a ride-hailing app caused hackers to take free rides. The hackers were able to access the users’ information and their personal details. The incident has taken place with an app called Moovit.

As per the TechCrunch, Omer Attias, a cybersecurity expert from SafeBreach, delved into the Moovit app and unearthed three vulnerabilities that could have allowed unauthorized access to the accounts of users worldwide. This included the collection of sensitive data such as phone numbers, email addresses, home addresses, and even the last four digits of credit cards. To make matters worse, these weaknesses could have potentially enabled the hijacking of user accounts, paving the way for unauthorized usage and fraudulent transactions.

Read More

Remarkably, this chain of security breaches could have occurred without the victims ever being aware, except for discovering unexpected charges on their credit cards. Attias dubbed this method as the “perfect attack.”

Attias revealed that the attackers could have not only taken control of others’ accounts but could have also performed various operations on their behalf, such as ordering train tickets. Furthermore, they could access all personal information linked to these accounts.

To demonstrate the extent of the potential damage, Attias created a custom tool that allowed him to effortlessly take over other people’s accounts with a few taps. While his testing was focused on Israel, he believed that similar vulnerabilities could have existed in other cities, given that Moovit operates on a global scale.

Moovit, a startup hailing from Israel, was acquired by Intel in 2020 for a substantial sum of $900 million. The app serves as a virtual guide for commuters, offering route guidance, maps of public transportation systems, and the option to purchase tickets. This technology reaches far and wide, boasting a user base of 1.7 billion riders spanning 3,500 cities across 112 countries.

Although the potential impact of these vulnerabilities was significant, Moovit has reassured users that no evidence of malicious exploitation has been found. Attias took the responsible step of notifying Moovit about the vulnerabilities he uncovered in September 2022, prompting the company to promptly address and rectify the issues.

This revelation underscores the ever-present need for heightened cybersecurity measures, particularly in apps that manage sensitive user data and transactions. The incident serves as a reminder that constant vigilance and prompt response to potential vulnerabilities are crucial to maintaining the security and trust of users worldwide.