:sigh: another day, another website that hardcodes their @oauth_2 client secret in JavaScript 🤦‍♂️
1
5
But they base64 encoded it, so that’s OK, right?
1
Replying to @akalsey @oauth_2
not even 😭 the variable is called "client_secret" and worse, it's a bank

Aug 1, 2019 · 5:56 PM UTC

1
Replying to @aaronpk @oauth_2
I once had to respond to a security audit that included a code scan. The scanner red flagged any variable called password or secret, or various misspellings thereof. You could store the password, you just had to name the field “donottellanyone” or something.