
Revolut's botched BIC update - bendlas
https://medium.com/revolut/update-on-bank-transfer-top-up-issue-784108626737
======
bendlas
or: The blog post, Revolut doesn't want you to read ;o)

or: How Revolut self-owned by ways of XSS

That page was presented to me as an in-app communication, that I noticed after
not getting through a transfer to my debit card and I wanted to to get the
url, to send to my bank. After failing to google it, I noticed a tag below the
article, saying `unlisted`.

Not being easily frustrated by such a feeble attempt, I cranked out android-
studio and apktool, but stopped after tracking a build error (in my attempt at
recompiling for debug), back to a ticket in something called apk-backdoor ...

It seems, like Revolut at least has their basic security measures right. At
that point, I also want to applaud Revolut for communicating openly with their
customers, even if not posting this publicly seems ridiculous to me.

So how did I actually get at the url? Logcat? Binary disassembly? MITMing
myself? Nope. I just pushed the floating `open in app` button, which triggered
a 404 page with a broken Medium in-app link. <lol.gif>

[https://imgur.com/a/eRaTZ](https://imgur.com/a/eRaTZ)

