MISC-48: Monzo Payment Approval Flow Broken

Issue Information

Issue Type: Bug
Priority: Major
Status: Closed

Reported By:
Ben Tasker
Assigned To:
Ben Tasker
Project: Miscellaneous (MISC)
Resolution: Fixed (2021-07-29 13:09:21)

Created: 2021-07-29 12:49:54
Time Spent Working

I was trying to put some money into my Vanguard account (using my desktop), but the Monzo payment flow seems to be broken.

Steps are:

1. Select investments etc
2. Enter card details
3. Web browser shows the "Open your Monzo app to approve this payment"
4. Monzo app shows notification - Payment to Vanguard to approve (or whatever the wording is)
5. Click notification, click Approve, enter pin

The app just shows a white screen, and the browser on my desktop doesn't change (i.e. continues to sit on the Open your Monzo app to approve this payment.

Eventually, something times out, and Monzo shows Declined - you didn't approve this transaction in time.


Issue Links

Twitter Thread
Toggle State Changes


Started a Twitter thread, seems I'm not the only one - https://twitter.com/promofaux/status/1420344882632200194

I turned Wifi off on my phone in case it was PiHole blocking something, but no dice.
Adam's mention of refreshing the page gave me a thought - so in the browser I right clicked the Monzo frame and chose Frame -> Reload.

It then shows payment complete.

So, looks like it's something on the browser side stopping the frame from getting a notification.

Decided to pay a little more in and have dev tools etc open this time
JS console reports a CORS issue for a script (https://js.sentry-cdn.com/6d7c4b98be84475383025b83113480b3.min.js), followed shortly by an exception
Uncaught ReferenceError: Sentry is not defined
    mzStartPolling https://verify.monzo.com/3ds2/poll-status.js:4
    <anonymous>   https://verify.monzo.com/3ds2/challenge?auth_id=3ds2auth_7bfc9898-c9b7-545e-84f8-c12fd257787c:62

The name mzStartPolling strongly suggests that's the function used to check for updates - that breaking is obviously going to stop the auto-refresh.

The network tab shows that the request for https://js.sentry-cdn.com/6d7c4b98be84475383025b83113480b3.min.js was blocked by UBlockOrigin.

It's on the EasyPrivacy list.

I added the following filter to my UblockOrigin to test

and the payment flow worked as a result.
btasker added 'Screenshot_20210728_130545.png' to Attachments
btasker added 'Screenshot_20210728_132520.png' to Attachments
The entry on the EP list seems to have been added in April - perhaps Monzo only added use of Sentry recently then?
I created a Pull request to adjust EP so that Sentry would be allowed from verify.monzo.com : https://github.com/easylist/easylist/pull/8458
The Monzo (https://monzo.com/) payment verification process is broken by the widescale blocking of sentry (introduced in d610e11), because it uses sentry to send events to the payment page once the user has verified payment in their app.

With the block in place, the user will approve the payment in the Monzo app, but the merchants page will never update (you can force it by right clicking on the frame and choosing reload).

More discussion can be found on Twitter here - https://twitter.com/bentasker/status/1420354891453763588

I also provided all this info to Monzo via the in-app chat.
Monzo confirmed via app and Twitter that they've fixed this on their end - https://twitter.com/rubendura/status/1420655054344830980
EasyPrivacy rejected my Pull Request with (IMO) some fairly crappy reasoning
Was blocked long before that commit, if we can't reproduce it. It won't be fixed in EP. Privacy. Maybe have a fallback option here.

Given Monzo have fixed it, it's a bit moot now really, but the response irritated me, so I've replied
Honestly, that's a pretty crap response.

It doesn't matter when you blocked it, it's broken a service I use.

> Maybe have a fallback option here.

I'm a Monzo user, I have nothing to do with the org or their codebase.

> if we can't reproduce it. It won't be fixed in EP. Privacy

To repro, you'd have needed to be able to open a UK bank account (i.e. get a Monzo account), put money in, then attempt to make an online payment. So, this approach means (more or less) any banking (or otherwise private) service that gets broken by a EP Privacy overblock gets to stay broken.

In this case, it's moot, because Monzo have been quite responsive (https://twitter.com/rubendura/status/1420655054344830980) and dealt with the issue, but this approach doesn't exactly serve to build confidence in using these lists.

At the end of the day, I'm a user of your lists, and of Monzo, if the detail I provided wasn't enough, maybe ask for more? Especially given it stems from a fairly wide block of something that's been reported as an overblock (https://forums.lanik.us/viewtopic.php?f=64&t=31754&p=99380&hilit=sentry+cdn.com#p99380) on multiple occasions (https://forums.lanik.us/viewtopic.php?f=64&t=43332&p=149006&hilit=sentry+cdn.com#p149006).
So, this is now fixed.

I'm surprised, and impressed, at Monzo's response - based on my dealings with Barclays (MISC-45) I'd fully expected some variation of "turn your adblocker off", instead they've taken the report, used it and fixed the issue.

Conversely, I'm surprised and disappointed at Easylist's response. If there'd been an issue with the content of the pull request, I'd understand that, but to have it closed with such a poor response doesn't really instil much confidence. If their position is as they state (i.e. they need to be able to repro to merge) then use of EP. Privacy is basically incompatible with any service where membership is even slightly restricted. Saying "have a fallback option" is a bit like saying "don't break shit" - it's a completely spurious position that just sounds good.

Closing as Fixed - thanks to Monzo.
btasker changed status from 'Open' to 'Resolved'
btasker added 'Fixed' to resolution
btasker changed status from 'Resolved' to 'Closed'
Had another reply on the pull, I had no idea these guys were such out and out fundamentalists....
EasyList(+*) Can never be responsible for whatever spyWare/trackWare/malWare etc any domain owner might add to there code base (website).

In case there arise a conflict between Easylists attempt to protect users and your human right to privacy against evil greedy companies, then it is the Evil Webmaster who have chosen to "break" there own website by adding evil code to it.

If you then, despite this warning from @easylist, still would like to have your internal organs harvested by mr. greedy dollar then you always have your personal right to do this by whitelisting such thing. In addition to this you could add the needed whitelisting rule here for sharing for other like minded.

The discussion of blocking sentry-cdn.com have ended.

The threads about that is to be located these places:

sentry.io #4060 (sentry.io)
ingest.sentry.io #6963 (sentry.io)
arc.io untracking ads #7872
https://mypdns.org/my-privacy-dns/matrix/-/issues/1390 (sentry.io)
https://mypdns.org/my-privacy-dns/issues/-/issues/4349 (sentry-cdn.com)

Looking at the linked issues, the maintainers are consistently (and heavily) downvoted for their views.

Anyway, it's moot, I'm not getting into a protracted argument on this.