Does this still work?

[strich]

Thanks for this script. It appears it does not work out of the box anymore. Running it I receive: {"error_description":"Invalid user credentials","error":"invalid_grant"}

I took a look at the network traffic for browser login and at least for me it requires an SMS OTP. How are you dealing with this now?

[eidorb]

I noticed it stopped working a bit over a week ago.

So you’re saying the browser log in flow now requires MFA? That’s interesting and it would indeed be a change.

I had a look at the mobile app and it does not require MFA just to sign in.

I’ll have a look at this at some point and see what I can find.

[strich]

Ah then MFA is probably still not required if you're taking the mobile app path. What user credentials do you pass in? I was passing in my email and password that I use to login via the desktop, but maybe the mobile login demands the mobile phone as username?

[adentranter]

I am also keen to know about this; As I want to set up something to extract my transactions on the fly.

[strich]

Hey @eidorb wondering if you had a chance to take a look yet?

[eidorb]

No, this doesn’t work.

I had a look @strich. I think these requests are being blocked by Akamai Bot Protection. Headers and cookies with values determined by tracking user signals. Circumventing this is non-trivial and not worth my time.

It’s a shame they prioritise security theatre over providing customers access to their data.

I’ll keep this open in case old UBank accounts are migrated to the system they acquired from 86400.

[timwhite]

@eidorb they are moving the old ubank accounts over now. I've recently been moved, it seems to just be setting us up on the new system, new account details, and then doing a transfer of all money to the new account. They are pulling transactions through as well. Do you have details for the 86400 API?

[eidorb]

I haven’t been migrated.

[mpember]

I just got moved to the new (86 400?) system. Is there an API for that?

[aidando73]

@eidorb Is it theoretically possible to make this work for accounts in the new system? I might be able to look into it if I have some spare time.

[eidorb]

@REslim30 yes I think it's possible. The new platform has two-factor authentication, which is certainly a good thing. However, that is a blocker for my main use case, which is unattended retrieval of account transactions and balances.

[mpember]

@eidorb I had a play with capturing the traffic from the phone app the other day and it appears that there is still an API that exposes the same functionality that was being used previously. I just haven't had a chance to dig deeper into it to see if it is possible to emulate the mobile app to circumvent the web browser requirement for 2FA authentication.

[adentranter]

I had a quick look via through the browser;

Minus the 2fa auth and whatnot; its quite a clean API that would be easy enough to try out alot of things. Sadly, the one thing i want to do is a really hard task to do. Essentially, have them send me a request when people try take payment on my card; I can return true or false.

I wonder how close to phone. it is.

I can share my findings if anyone is keen?

[eidorb]

I've reworked this project using Playwright. It's not super elegant, but using a full browser is an easy way to retrieve info from ubank.

See how you go.

[mpember]

Your updated code mentions the option to trust a browser, but I don't see that option when I log in.

[eidorb]

I had another go at reverse engineering the mobile app API with fresh eyes... and it was successful!

I've published a new version of this package. It's much simpler and lightweight (doesn't require a headless browser).

I'll close this issue now that I'm happy with the updated module.