Refuses Password

[tcurdt]

Login works fine on the website but the extension does not work anymore.

[lenusch]

same here, password refused. Makes no sense. Did the Password Lengh changed? because i think i have a long Password.

Protocol version: Web Scraping Server address: https://www.mintos.com/en/login Sending: GET https://www.mintos.com/en/login The server responded with the error message: Service Temporarily Unavailable. Retrying... Sending: GET https://www.mintos.com/en/login HTTPS response: Service Temporarily Unavailable Der Server Ihrer Bank meldet einen internen Fehler. Bitte versuchen Sie es später noch einmal.

[Argent]

I have the same issue. Password is working on the website

[joysanity]

same here, password refused. "Das Passwort wurde vom Server als ungültig abgewiesen."

[tcurdt]

Is there any way we can help?

[Argent]

I tried it with curl and it might only be a problem with the login url. I tried https://www.mintos.com/en/login and that seemed to work. I would try and test the plugin with these changes, but I have no idea how to get MoneyMoney to load an unsigned extension

[lenusch]

I tried it with curl and it might only be a problem with the login url. I tried https://www.mintos.com/en/login and that seemed to work. I would try and test the plugin with these changes, but I have no idea how to get MoneyMoney to load an unsigned extension

But the extensions already uses https://www.mintos.com/en/login ? or do you mean without the "check" at the end? Because the https://www.mintos.com/en/login/check ends up in a 404

[zafai]

It looks like that this is the same problem as https://github.com/deflomu/moneymoney-mintos-extension/issues/18 Mintos has now a cloudflare ddos protection and when you try to access Mintos via MoneyMoney I'm getting a password refuse or a HTTPS response: Service Temporarily Unavailable

[tcurdt]

I tried it with curl and it might only be a problem with the login url. I tried https://www.mintos.com/en/login and that seemed to work. I would try and test the plugin with these changes, but I have no idea how to get MoneyMoney to load an unsigned extension

You need to use the beta to load unsigned plugins AFAIK.

[tcurdt]

@zafai but even if this is the same issue, I am not sure why the DDoS check should be triggered by the few requests from moneymoney. Maybe it should use a different agent header?

[zafai]

@tcurdt Mintos is protection the /en/login page by the Cloudflare Feature "I'm Under Attack Mode" this force the user to have JavaScript and cookie support to access the page.

This guy is writing a python script that is using node.js to solve that problem https://github.com/Anorov/cloudflare-scrape

And in the Issue section I found a guy that was able to access Mintos with his script. https://github.com/Anorov/cloudflare-scrape/issues/287

The problem is that we don't have JavaScript/Python/Node.js support in MoneyMoney Lua Extensions as far that I know.

[tcurdt]

If that is what Cloudflare checks we are screwed - probably also for other extensions. But if @Argent is right and it works with curl it might not be that. Maybe it's just the user agent or cookie support? (wishful thinking)

[lenusch]

A. (Mintos)

18. Sep., 15:35 EEST Hi Lenusch,

Thank you for your message and for the information provided.

Yes, we did change the login system recently.

Current;y we are using the captcha for the secure login into our site.

Why does Mintos use captchas?

Investor security is our top priority. Unfortunately, cybercrime is a reality, and we need to take steps to protect our investors. That’s why we introduced captchas as a preventive measure, as they offer a good defence against bots. We’re using invisible captchas, so most investors won’t notice anything – the captcha just checks the browser configuration in the background and approves the login. In rare cases, investors may be asked to manually solve the captcha to log in. Some privacy-related browser plugins will block invisible captchas. In that case, investors need to enable the captcha script to log in. Unfortunately, this is needed to keep high-security standards.

Why are my scripts not working anymore? Unfortunately, we need to block scripts, as it’s not always possible to distinguish between good automation and botnets. In that case, your security needs to take precedence.

Why does Mintos use third-party scripts? Some third-party scripts are necessary to provide our service to investors.

Mintos team wishing you to have a good day ahead.

Thank you for your patience and understanding.
Let us know if you have any other questions.

[deflomu]

They also wrote me this:

We are working on an API solution for investors, but at this moment, unfortunately, it's not possible to grant such access.

So hopefully it will not take to long for them to provide such an api.

[tcurdt]

I also wrote them so they notice there is some pressure.

[igno2k]

Any news from Mintos? Any idea how me can make some more demand on this topic (maybe a petition for feature voting)?

[lenusch]

Nothing happens, gave it up. Still not working ...

[tcurdt]

They just released their mobile apps - so now there should be an API.

[tmechen]

their answer is so freaking wrong on so many levels, makes you think if there are any security capabilities in the team...

[tcurdt]

@tmechen Well, it's old. Now they have an API at https://mobile-api.mintos.com

[tmechen]

oh okay nice, maybe ill take a look. did you find this api by listening to the app or is there any documentation out there?

[tcurdt]

@tmechen Well, there is an app :) but no docs. I also watched the communications on the network. I did not look at the HTTPS connection in detail but it seems like they are using certificate pinning or a client certs to secure the connection.

Now there isn't even a technical reason anymore. But it suggests they are not willing to let us use the API anytime soon.

[tcurdt]

This is what I get for https://mobile-api.mintos.com

handshake_failure (40) - Unable to negotiate an acceptable set of security parameters, this probably means there are no cipher suites in common

while interception https://www.mintos.com works just fine.

Maybe they are also just very strict with the ciphers and my MITM tool does not provide the correct one.

[pikespeak]

It is possible to extract the API commands from the Android APK file? APK Download

[tcurdt]

It is possible to extract the API commands from the Android APK file?

It might - but that won't help at all if we cannot establish the HTTPS connection. And if we can, there is no real reason to look at the APK file - then we can just look at the network.

[tcurdt]

Last resort would be trying to extract the certificate from the application - but that's not really a long term viable solution.

I think at this stage it would be good to talk to Mintos again - now that they do have an API.

[gering]

any news on this?