|
|
|
|
|
|
by Timshel
2180 days ago
|
|
|
What's really WTF for me is : "We found that we could exchange the stolen authentication token for a Bearer token through app.vsaex.visualstudio.com"
For me this exchange should always require an additional secret they should not have access to (exception would be for an app where securing the secret is not trivial, but not the case here I believe). |
|
|