[config_yml]

They're a small company with an even smaller engineering team, I think 13 devs or something like that. I would imagine either everyone knows about it immediately or they are too overloaded with work that it gets deprioritised into oblivion after a quick first look.

[lol768]

It's not an excuse, it's just poor engineering culture or lack of security awareness. I work with an engineering team of 5 - security issues still get prioritised and fixed. Feature work gets deprioritised, as it should, as soon as there's a credible security concern.

[LightBug1]

You must work at a half-decent outfit then.

[lawgimenez]

If they had time to rewrite the whole native app to React Native then they should have enough time to triage this security issue.

[dmvdoug]

Obligatory link: https://youtu.be/Uo3cL4nrGOk

[nurple]

All they had to do was add and validate a nonce value in the state, or at the very least, to triage, sanitize the subdomain value. The latter would literally be a 10 minute fix.