Is the XSS exploitable? Can you insert data in the phone field via a form submit or URL param? Seems like the attack requires exceedingly unlikely user interaction.

Did you contact the Portuguese National Data Protection Agency? If you can leak phone numbers, they should be informed.

Cool findings :)

Thank you :)

Regarding the XSS attack, I have the answer here: https://iluxonchik.github.io/chave-movel-digital-xss/#commen...

I did not, thank you for suggesting, I will do it now.

When your cousin's software consultancy company is hired...