First it was an error that had been corrected “immediately”. But the security flaw detected on the T-Mobilitat website, which depends on the Metropolitan Transport Authority (ATM), and which brought out user data, has finally caused the momentary closure of the platform.
“Access to the t-mobilitat.cat website in this testing phase has been temporarily suspended,” they reported from T-Mobilitat’s own Twitter, which is the new rechargeable card payment system for public transport and is currently underway. pilot phase. “We have decided to carry out, with the Cybersecurity Agency, an exhaustive analysis to rule out any other undetected vulnerability,” they added. “The tests are still ongoing.”
In parallel, the ATM has announced the opening of an information file to the company responsible for the website.
According to the ATM, during the time that this security hole existed, only one person accessed “non-sensitive data.” It is about a citizen who denounced on Tuesday afternoon in a Twitter thread that he was able to enter with the administrator user of the page and had access to the data of about 2,000 users, who could have deleted or added new ones, and in all content on the web.
As he explains, he realized after registering correctly and that moments later this website repeatedly redirected him to the main page. Later, that same user certified that those responsible had already changed the password.
Precisely, the ATM announced on Monday that it would extend the usability tests of the T-Mobilitat to the general public and that it would add new digital channels such as the web and the mobile application. This is one more phase of the tests that 4,000 users began in June with the verification of the validation, both with the rechargeable card and with the mobile phone.