Your personal finance manager. iOS and Android App for Beancount.io
License: MIT License
Beancount Mobile Community Edition is an iOS and Android App for Beancount.io - Double-entry bookkeeping made easy for living your best financial life 💰
Run it locally
git clone [email protected]:stargately/beancount-mobile.git
cd beancount-mobile
npm install
npm run startScripts
npm run test: test the whole projectnpm run lint: run the linternpm run schema: generate Apollo GraphQL schemaStar ⭐️ the repo, download the App, and give it a review!
Ask us at https://t.me/beancount
Hi team ,
I want to report a security vulnerability
Vulnerable Link : https://beancount.io/forgot-password
Vulnerability Name : No Rate Limitation on password reset link
Steps To Reproduce The Issue
Step 1-Go To This Link https://beancount.io/forgot-password
Step 2- Intercept invite Request In Burp
Step 3- Now Send This Request To Intruder and Repeat upto 1000 Time By Fixing Any Arbitrary Payload Which Doesn't No Effect Request I Choose Accept-Language: en-US,en;q=$0.5$
Step 4 - See You Will Get 200 Ok Status Code , you will get emails
See It is Resulting In Mass Mailing Or Email Bombing To Your Users Which Is Bad For Business Impact
Solution -
I Will Recommend You To Add A Re-Captcha & Sort Of Something Which Requires Manual Human Interaction To Proceed Like You Can Add Captcha Like 2+2=_ so that it cannot be brute forced and you also can have a limit at the backend for particular number up
to 5 times a day user can request invite user or Link something like that will prevent you from someone exploiting this vulnerability
Impact :
If You Are Using Any Email Service Software API Or Some Tool Which Costs You For Your Email This Type Of Attack Can Result You In Financial Lose And It Can Also Slow Down Your Services It Can Take Bulk Of Storage In Sent Mail Although If Users Are Affected By This Vulnerability They Can Stop Using Your Services Which Can Lead To Business Risk
Thanks & Regards
Amit kumar
This would allow users to edit their ledgers using their own editor, as well as enabling scripts and so on.
Hi Puncsky,
非常感谢你们团队的付出,我试用了的beancount mobile app. 大体上已经非常贴合需求,手机适配也不错。 但如果有些改变,会更加完美。
关于第一点,我试过了,可以在Ledger中输入达到这个目的。 但在类网页界面上,有些太小而不方便操作。
could we use something like https://www.npmjs.com/package/short-number for labels instead of using 12.34k directly? People may make money in hundreds, thousands, millions, etc.
we need to refactor beancount-mobile/src/screens/home-screen/hooks/use-home-charts.ts and all the chart styles
why is monthly net income positive numbers are with $ while negative numbers are not?
Hi,
Vulnerability 1
Name : Application Data can be Backed up
Severity : High
Vulnerable Parameter : [android:allowBackup=true]
Description : This flag allows anyone to backup your application data via adb. It allows users who have enabled USB debugging to copy application data off of the device.
Steps to reproduce :
Impact : If this attribute is set to true, backup or restore of the application can be easily performed, even by a full-system backup that would otherwise cause all application data to be saved via adb.
Vulnerability 2
Name : Clear text traffic is Enabled For App
Severity : High
Vulnerable Parameter : [android:usesCleartextTraffic=true]
Description : The app intends to use cleartext network traffic, such as cleartext HTTP, FTP stacks, DownloadManager, and MediaPlayer. The default value for apps that target API level 27 or lower is "true". Apps that target API level 28 or higher default to "false". The key reason for avoiding cleartext traffic is the lack of confidentiality, authenticity, and protections against tampering; a network attacker can eavesdrop on transmitted data and also modify it without being detected.****
Steps to reproduce :
Impact : Keeping This call as true could create accidental regressions in apps due to changes in URLs provided by external sources such as backend servers.
Thanks,
Simran, India
Telegram - simranCMD
Name: Activities are not protected
Description: An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. {android :exported= true}
Activities:
abi35_0_0.expo.modules.payments.stripe.RedirectUriReceiver
abi36_0_0.expo.modules.payments.stripe.RedirectUriReceiver
abi37_0_0.expo.modules.payments.stripe.RedirectUriReceiver
abi38_0_0.expo.modules.payments.stripe.RedirectUriReceiver
androidx.biometric.DeviceCredentialHandlerActivity
com.facebook.CustomTabActivity
expo.modules.payments.stripe.RedirectUriReceiver
host.exp.exponent.experience.TvActivity
host.exp.exponent.LauncherActivity
net.openid.appauth.RedirectUriReceiverActivity
Used Tools: apktool
File: AndroidManifest.xml
Impact: Malicious application keeps calling the exported activities so that not logged in users are also impacted & it also leads to crash the app continuously
Steps to Reproduce:
Name: Broadcast Receiver is Protected by a permission, but the protection level of the permission should be checked
Description: A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission. {android :exported= true}
Broadcast Receivers:
Broadcast Receiver: com.facebook.CampaignTrackingReceiver
Permission: android.permission.INSTALL_PACKAGES
Broadcast Receiver: com.google.android.gms.gcm.GcmReceiver
Permission: com.google.android.c2dm.permission.SEND
Broadcast Receiver: com.google.android.gms.measurement.AppMeasurementInstallReferrerReceiver
Permission: android.permission.INSTALL_PACKAGES
Broadcast Receiver: com.google.firebase.iid.FirebaseInstanceIdReceiver
Permission: com.google.android.c2dm.permission.SEND
Broadcast Receivers not protected:
host.exp.exponent.notifications.receivers.SchedulingTriggerReceiver
host.exp.exponent.referrer.InstallReferrerReceiver
File: AndroidManifest.xml
Used Tools: apktool
Steps to Reproduce:
Name: A Service is Protected by a permission, but the protection level of the permission should be checked
Description: A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission. {android :exported= true}
Services:
Service: com.google.android.gms.auth.api.signin.RevocationBoundService
Permission: com.google.android.gms.auth.api.signin.permission.REVOCATION_NOTIFICATION
Services not protected:
host.exp.exponent.fcm.ExpoFcmMessagingService
File: AndroidManifest.xml
Used Tools: apktool
Steps to Reproduce:
Regards,
Mufaddal M
India
Telegram: @muffynsta
Hello Security Team
I would like to report security issue
Vulnerability Details :-
Vulnerable link : https://beancount.io/forgot-password
Vulnerability Name : Password reset Link is not expiring after getting a new reset link
Steps to reproduce :-
Explanation :-
Suppose at 07:00 hrs I used password reset options of beancount.io and got a token on my email. Lets call it token 01. But i did not use it.And at 07:02 hrs I used again the password reset option and got a new token, which is token 02. Now generally after the issuance of token 02, the previous unused token should expire. But in case of beancount.io , its not happening
Mitigation :-
All unused tokens should expire automatically after the issuance of a new token
Please Fix the issues
Thanks & Regards,
Amit kumar
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
