Skip to content
Bickie
Start free
← Blog3 min read

We ran a pentest on Bickie. Here's what we found — and fixed.

Bickie holds your financial data, so we test ourselves like an attacker would. Here's the full result of our latest security review, including the things we got wrong and have now fixed.

Bickie holds some of the most sensitive data you own — your accounts, your balances, your plans for the next thirty years. I take that seriously, and I think the honest way to earn your trust is to show you the work rather than just claim "bank-level security" and move on.

So this week I put Bickie through a security review: an automated penetration test against the live app, plus a line-by-line audit of the parts that actually guard your data. This post is the full result — what was already solid, what wasn't, and exactly what I changed.

How we tested

Two angles, because they catch different things.

From the outside (a pentest). An AI-driven penetration testing tool probed the live app the way an attacker would — looking for leaked secrets, weak headers, exposed admin pages, injectable inputs, and known vulnerabilities. It has no knowledge of how Bickie is built; it just attacks.

From the inside (a source audit). Black-box scanning is good at finding the obvious stuff and bad at finding logic flaws, so I also audited the code that enforces who-can-see-what: the database access rules, every server-side function, and the login and two-factor flows.

What was already solid

I'll start here, because most of the review was uneventful — which is the point.

  • Every table of your data is protected at the database level. Postgres row-level security is enabled on all of it, scoped so you only ever see your own household's records — not a rule we apply in the app and hope for, but enforced by the database itself.
  • Admin tools require admin permission. Every privileged operation checks that the caller is actually a staff member with the specific permission, and logs it.
  • Payments can't be forged. Our payment provider's webhooks are signature-verified before we trust a single byte.
  • Two-factor is real. When 2FA is on, the elevated session is enforced by the auth server, not by a flag in your browser that could be flipped.
  • No secrets ship to your browser. The only keys in the app are the ones that are designed to be public.

The external scan was similarly quiet: no leaked credentials, no exposed source maps, no open redirects, strong security headers on the app.

(One note on the automated tool: because the app is a single-page app, every URL returns the same page — so the scanner excitedly reported dozens of "hidden admin pages" that don't exist. Worth knowing if you ever run one of these yourself: a SPA makes black-box scanners cry wolf.)

What we got wrong — and fixed

The audit found five real issues. I found all five proactively in this review, and all five are now fixed. Here they are, plainly.

1. An internal email function didn't check who was calling it. (The important one.) A behind-the-scenes function that sends notification emails wasn't verifying that the request came from our own systems, and it would send whatever subject and body it was handed. In the wrong hands that's a way to send an email that looks like it came from Bickie. Fixed: it now requires an internal secret to run, and it can only send from our own fixed templates — no caller-supplied content, ever.

2. Our marketing site was missing the hardening the app already had. The app you log into (app.bickie.com.au) ships a strict set of browser security headers. The marketing site you're reading now was missing some of them — low risk, but inconsistent. Fixed: the same headers now apply here, including clickjacking and content-type protections.

3, 4, 5. Three defense-in-depth gaps. A bank-connection step and two internal database helpers didn't re-check household membership as strictly as they should have. The practical impact was limited, but "limited" isn't "none." Fixed: all three now enforce membership before doing anything.

Found a security issue?

If you ever find something, I want to hear about it. Email support@bickie.com.au or see our security page for how we handle responsible disclosure. Reports made in good faith will always be met with thanks, never lawyers.

Security isn't a milestone you finish — it's something you keep doing. I'll keep testing Bickie like this, and when I find things, I'll keep telling you.