or: The blog post, Revolut doesn't want you to read ;o)<p>or: How Revolut self-owned by ways of XSS<p>That page was presented to me as an in-app communication, that I noticed after not getting through a transfer to my debit card and I wanted to to get the url, to send to my bank. After failing to google it, I noticed a tag below the article, saying `unlisted`.<p>Not being easily frustrated by such a feeble attempt, I cranked out android-studio and apktool, but stopped after tracking a build error (in my attempt at recompiling for debug), back to a ticket in something called apk-backdoor ...<p>It seems, like Revolut at least has their basic security measures right. At that point, I also want to applaud Revolut for communicating openly with their customers, even if not posting this publicly seems ridiculous to me.<p>So how did I actually get at the url? Logcat? Binary disassembly? MITMing myself?
Nope. I just pushed the floating `open in app` button, which triggered a 404 page with a broken Medium in-app link. <lol.gif><p><a href="https://imgur.com/a/eRaTZ" rel="nofollow">https://imgur.com/a/eRaTZ</a>