Circumventing 6-digit-code


#1

Hello, I’ve found a potential security issue with the Revolut app that should be checked and (if valid) resolved as soon as possible.

When using the Revolut app with my second phone number (same phone, but different number, since I am in a different country atm) and doing a transfer, I get the 6-digit-code texted to my original number.

However I can submit a transfer without entering the 6-digit-code.

When the app prompts me to enter the code (it was sent to my other number) and I switch apps (did this to get the code that a friend texted me) - after switching back to Revolut the transfer has been processed - without ever entering the code.

I’m using a OnePlus device running Android (OxygenOS 3.6.1) and the latest version of Revolut (4.8.1).


#2

Can’t reproduce this with :r: 4.8.1, Android 8.0, OxygenOS 5.0
Also, were you adding a new destination or just sending a transfer to a previous one?
:frowning: