Home » Technology » Internet » Hacker Took Over Ticketing App And Bought Train Tickets

Hacker Took Over Ticketing App And Bought Train Tickets

A security researcher examined the interfaces of the globally active mobility app provider Moovit and discovered vulnerabilities. They allow accounts to be taken over and tickets to be purchased at the expense of users.

Moovit is one of the world’s major providers of mobility services, and the app should bring together as many local offers for mobility as possible – including public transport services including the purchase of tickets. The group states that it is active in 3,500 cities and 112 countries and can refer to 1.7 billion passengers. Omer Attias, a security researcher at SafeBreach, told Techcrunch that he had discovered major vulnerabilities in the company’s systems.

He found that one of these vulnerabilities allowed him to collect the login credentials of new Moovit users from around the world, including cell phone numbers, email addresses, home addresses, and the last four digits of credit cards. On the basis of this information, it was again possible to take over the accounts of those affected and use them to buy tickets.

“We can completely impersonate accounts without breaking the connection. It’s crazy, we actually have the ability to perform all operations on behalf of different accounts, including ordering train tickets,” Attias said in an interview with TechCrunch ahead of his presentation at the DefCon hacking conference in Las Vegas.

Moovit appeased

Attias reports reporting the gaps to Moovit in September 2022. The company itself states that it was already working on a solution at this point, which is said to have been implemented a little later. “Customers don’t need to take any action. It’s important to note that no evil actors have taken advantage of these issues to access customer data,” a spokesman said.

In one thing, however, the representations of the company and the hacker differ. Moovit states that the ticket service affected by these gaps is only active in Israel. Attias clearly contradicts this: “We found no difference between Israeli and non-Israeli customers in their API requests.”