Allegedly, a threat actor has shared details of this vulnerability, affecting millions of users associated with Volaris and Invex Mexico. While other hackers have reportedly discovered this vulnerability, they have chosen not to disclose it publicly. It is estimated that over 3 million cards, along with their numbers, dates, CVVs, and bank transactions, have been compromised.
The vulnerability itself is rather straightforward: it involves obtaining the encryption password of the Invex Control app. Once this password is obtained, all requests can be made without token verification. In practical terms, this means that one could access other cards using the same user token.