Bus Public Transit App
Monthly
Improper authorization in Moovit Bus & Public Transit App 1.18 on Android exposes the com.tranzmate custom URL scheme handler to invocation by any locally installed application without proper authorization checks, enabling information disclosure and limited unauthorized manipulation of app functionality. The vulnerability is classified as CWE-939 and is restricted to local attack vectors, meaning a co-resident malicious application on the same Android device is required to trigger it. A proof-of-concept exploit has been publicly released via GitHub and Google Drive, and the vendor did not respond to responsible disclosure - no patch is confirmed available at time of analysis.
Improper authorization in Moovit Bus & Public Transit App 1.18 on Android exposes the com.tranzmate custom URL scheme handler to invocation by any locally installed application without proper authorization checks, enabling information disclosure and limited unauthorized manipulation of app functionality. The vulnerability is classified as CWE-939 and is restricted to local attack vectors, meaning a co-resident malicious application on the same Android device is required to trigger it. A proof-of-concept exploit has been publicly released via GitHub and Google Drive, and the vendor did not respond to responsible disclosure - no patch is confirmed available at time of analysis.