Comment by config_yml
3 years ago
They're a small company with an even smaller engineering team, I think 13 devs or something like that. I would imagine either everyone knows about it immediately or they are too overloaded with work that it gets deprioritised into oblivion after a quick first look.
It's not an excuse, it's just poor engineering culture or lack of security awareness. I work with an engineering team of 5 - security issues still get prioritised and fixed. Feature work gets deprioritised, as it should, as soon as there's a credible security concern.
You must work at a half-decent outfit then.
If they had time to rewrite the whole native app to React Native then they should have enough time to triage this security issue.
Obligatory link: https://youtu.be/Uo3cL4nrGOk
All they had to do was add and validate a nonce value in the state, or at the very least, to triage, sanitize the subdomain value. The latter would literally be a 10 minute fix.