Skip to main content

🔍✨Unveiling 5 Million+ Public Transport Connections: Still Open to Public View🔒💼

· 3 min read
Lucas Brunner

Buckle up for a wild ride! 🎢 Anyone can access more than 5 million connections that users have searched on the SBB app, and these records go back to 2019!

But there's more to this story: every connection includes not just the transit details, but also the precise GPS coordinates and addresses of the origin and destination 📌🌍. I didn't want anyone to find out I went to my favorite Migros yesterday 😱

Why is this a big deal? It potentially discloses sensitive information 🕵️‍♂️. Imagine this data could tell when you leave your home 🏠🔐 - invaluable for burglars, right? Moreover, it could even reveal sensitive personal information based on your frequented destinations - for instance, sexual orientation/behavior. 💔🔍

This discovery serves as a potent reminder to tread cautiously when searching on public platforms. Pro tip: search from a nearby station, not directly from your local address. This simple adjustment can help safeguard your digital footprint! 🛤️🔎

This vulnerability is found in one of SBB's URL shorteners, which I recently explored. When I disclosed this to SBB, their intriguing response was "Not a bug in the traditional sense." 🐜👀 Find out more about their response in the comments!

But there's a silver lining here 🍒💥: This URL shortener is now part of their Bug Bounty Program. Applause to SBB for promptly revising the program's scope. Who knows? The next keen-eyed individual to discover a vulnerability could potentially earn a bounty for their findings!

What other potential risks can you think of related to this vulnerability? How can we bolster privacy and data security in public services? And how serious do you think this situation is? Let's discuss! 👇🔬🧠

For the sake of transparency, here's SBB's response to my report can be found below:

I'm curious to know your perspective on this. How can we ensure safer online searches? Let's get the ball rolling on this important conversation! 💡👥👇

Participate on LinkedIn: LinkedIn

Hallo Lucas

Nochmals Danke für deinen Input und auch für den PoC Code.

Wir werden das Thema mit dem entsprechenden Geschäftsbereich definitiv weiter anschauen.
Aus Sicht Security werden wir uns dafür einsetzen, dass hier gewisse Anpassungen gemacht werden.

Als Bug im eigentlichen Sinne werten wir deine Meldung allerdings nichts und wir können dir daher auch kein Bounty anbieten (da zudem aktuell noch nicht im Scope unseres BB Programms).
Wie erwähnt freuen wir uns aber, falls du auf unserem BB Programm bei Intigriti neue Findings posten möchtest.

Ich hoffe das passt so für dich und wünsche eine gute Woche.
Danke und Gruss, SBB Mitarbeiter