[6thSigma]

So the security risk requires someone to somehow get your ASP? Correct me if I'm wrong, but I believe you can only make a new ASP when you are already signed in and it disappears after you 'hide' it or leave the page. It kind of seems like if you can get a user's ASP, the account is probably already compromised.

It's nice that they are fixing a couple loopholes, but not sure if it will actually help any.

[Shank]

The main issue with this is the automatic login functionality. If a person has 2 factor enabled on their account, and any of their devices (phones, tablets, etc) are stolen, it becomes trivial to act without a password to steal the entire account. If they have a lock screen password, it becomes harder to attack, but any compromised device would likely give an attacker a few hours prior to a user noticing and killing its tokens.

[6thSigma]

The loop hole seems to require the plain text ASP though.

[Zikes]

Presumably the ASP could be intercepted via MITM, when it's being passed to the application for which it was generated.