Bugs in Moovit could have allowed hackers to take free rides

SAN FRANCISCO: A security researcher found serious vulnerabilities in the ride-hailing app Moovit that could have allowed hackers to compromise users’ accounts and their financial information to get free rides.

Omer Attias who is a security researcher at SafeBreach, spotted three bugs in Movie which allowed him to collect new user’s registration information from all over the world.

The bugs could have allowed him to take over other people’s accounts, and consequently their credit cards, to pay for his own rides, reports TechCrunch.

“We can fully impersonate accounts, without disconnecting them. It’s crazy, we actually have the ability to perform all the operations on behalf of different accounts, including ordering train tickets,” Attias was quoted as saying in the report.

Attias, in fact, created a custom interface that allowed him to take over other people’s accounts with just a few taps.

Moovit is an Israel-based mobility-as-a-service provider and journey planner app. It has been owned by Intel through the Mobileye subsidiary since 2020.

It claims to serve 1.7 billion riders in 3,500 cities across 112 countries.

The company, however, said there is no evidence that malicious hackers found and exploited these bugs.

“Moovit was aware of and rectifying the issue when it was reported, and took immediate steps to finish correcting the issue,” a company spokesperson was quoted as saying in the report.

The vulnerabilities have long since been fixed and no customer action is required, the spokesperson added.

In May 2020, Moovit was acquired by Intel for $900 million and has integrated with Mobileye. In October 2022, Moovit was acquired by Mobileye from Intel as part of Mobileye's IPO.