Threat Actor: Unknown | Unknown
Victim: Volaris and Invex Mexico | Volaris and Invex Mexico
Price: Not specified
Exfiltrated Data Type: Credit card details (numbers, dates, CVVs, and bank transactions)
Additional Information:
- The vulnerability involves obtaining the encryption password of the Invex Control app.
- Once the password is obtained, all requests can be made without token verification.
- This allows access to other cards using the same user token.
Allegedly, a threat actor has shared details of this vulnerability, affecting millions of users associated with Volaris and Invex Mexico. While other hackers have reportedly discovered this vulnerability, they have chosen not to disclose it publicly. It is estimated that over 3 million cards, along with their numbers, dates, CVVs, and bank transactions, have been compromised.
The vulnerability itself is rather straightforward: it involves obtaining the encryption password of the Invex Control app. Once this password is obtained, all requests can be made without token verification. In practical terms, this means that one could access other cards using the same user token.
Original Source: https://dailydarkweb.net/threat-actor-allegedly-shared-vulnerability-for-volaris-invex-cards-system-exposing-3-million-credit-cards/