Transportation app Moovit’s bugs allowed hackers to ride for free

Title: Moovit App Vulnerabilities Could Have Led to Hijacked User Accounts and Data Breach


A security researcher at SafeBreach has discovered three vulnerabilities in the popular transportation app, Moovit. These vulnerabilities could have allowed hackers to exploit user accounts, gain access to personal information, and even use credit cards for unauthorized transactions. This article explores the potential impact of these vulnerabilities and highlights the actions taken by Moovit to address the issue.

The Perfect Attack: Exploiting Moovit’s Vulnerabilities

Omer Attias, the security researcher at SafeBreach, uncovered a series of vulnerabilities in the Moovit app that could have led to a significant data breach. By exploiting these vulnerabilities, attackers could collect sensitive user information, including cell phone numbers, email addresses, home addresses, and the last four digits of credit cards. The most alarming aspect was that attackers could have taken over other users’ accounts and used their credit cards to pay for their own rides, all without the victims ever discovering the breach.

Attias described this chain of exploits as “the perfect attack,” as it allowed complete impersonation of user accounts and access to personal information. The vulnerabilities were not limited to specific locations, as Moovit operates globally. Attias tested his exploits in Israel but believes they could have worked in other cities where Moovit is available.

Moovit: A Widely Used Transportation App

Moovit is an Israeli startup that was acquired by Intel in 2020 for $900 million. The app provides users with route planning, public transportation system maps, and ticket purchasing options. With a presence in 3,500 cities across 112 countries, Moovit claims to serve 1.7 billion riders worldwide.

Immediate Action Taken by Moovit

Despite the potential impact of these vulnerabilities, Moovit assured users that there is no evidence of malicious hackers exploiting the bugs. Attias reported the vulnerabilities to Moovit in September 2022, and the company promptly addressed and fixed them.

Moovit spokesperson Sharon Kaslassi emphasized that the vulnerabilities had been rectified and no customer action was required. Furthermore, Moovit does not store credit card information, ensuring that no credit card data was exposed. Kaslassi also mentioned that the ticketing service relevant to the findings was active only in Israel.

Attias Challenges Moovit’s Response

In response to Moovit’s comments, Attias and his colleagues at SafeBreach expressed their belief that they could have charged any customer, not limited to Israeli customers. They found no differentiation between Israeli and non-Israeli customers in the API requests.


The discovery of vulnerabilities in the Moovit app highlights the importance of robust security measures in transportation apps. While Moovit has taken immediate action to address the vulnerabilities, it serves as a reminder for users to remain vigilant about their personal information and monitor their financial transactions for any suspicious activity.

As technology continues to advance, it is crucial for app developers to prioritize security and regularly conduct thorough vulnerability assessments. Users should also ensure they are using the latest version of apps and follow best practices for online security.

By addressing vulnerabilities promptly and transparently, companies like Moovit can maintain user trust and safeguard their sensitive information.