ML Wallet Vulnerability

Disclaimer: The purpose of this research is to improve and strengthen security all issues discovered in this research are reported to the security team. The researcher is not affiliated with any hacking groups. The researcher didn’t include the sensitive data in this write-up to reduce expose to the vulnerability. The researcher follows the vulnerability disclousre policy.

Introduction

First of all, I would like to thank Jaypee Marquez, and Art Samaniego Jr. for helping me to reach out to the M Lhuillier Team and to the M Lhuillier who patched the vulnerability.

A short write-up about ML Wallet Firebase Database Vulnerability, On December 2021 I discovered that ML Wallet Application has no security restriction on their Firebase Database so anyone can query the database using the endpoint which leads to Information Disclosure Including million of ML Wallet user IDs, Customer IDs, Driver Number, Locations, Tokens and many more.

To be honest I felt sad because I don’t even talk and connect the M Lhuillier Security Team but still, I’m happy because the vulnerability is already patched.

Proof of Concept

Disclosure Timeline

December 31, 2021 — I contacted Art Samaniego Jr. for help regarding this vulnerability issue.

January 2022 — I send the proof of concept and an exploit about the vulnerability to Art Samaniego Jr. to report to the M Lhuillier team.

September 2 , 2022 — A few months ago I checked again the vulnerability and It’s already patched.

Thanks for reading this article, I hope you guys learn something new today. Please share this article to spread the knowledge.

Don’t forget to follow and connect with me through LinkedIn, and Twitter.