Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers
The GoCardless components in Actualbudget in are logging responses to STDOUT in a parsed format using console.logand console.debug (Which in this version of node is an alias for console.log). This is exposing sensitive information in log files including, but not limited to: Gocardless bearer tokens. Account IBAN and Bank Account numbers. PII of the account holder. Transaction details (Payee bank information, Recipient account numbers, Transaction IDs)…