Aaron Parecki · Aug 1, 2019 · 5:36 PM UTC

Aaron Parecki

Aaron Parecki @aaronpk

1 Aug 2019

:sigh: another day, another website that hardcodes their @oauth_2 client secret in JavaScript 🤦‍♂️

Not Fake Adam Kalsey · Aug 1, 2019 · 5:55 PM UTC

Not Fake Adam Kalsey @akalsey

1 Aug 2019

But they base64 encoded it, so that’s OK, right?

Aaron Parecki · Aug 1, 2019 · 5:56 PM UTC

Aaron Parecki · Aug 1, 2019 · 5:56 PM UTC

Aaron Parecki @aaronpk

1 Aug 2019

Replying to @akalsey @oauth_2

not even 😭 the variable is called "client_secret" and worse, it's a bank

Aug 1, 2019 · 5:56 PM UTC

Not Fake Adam Kalsey · Aug 1, 2019 · 5:58 PM UTC

Not Fake Adam Kalsey @akalsey

1 Aug 2019

Replying to @aaronpk @oauth_2

I once had to respond to a security audit that included a code scan. The scanner red flagged any variable called password or secret, or various misspellings thereof. You could store the password, you just had to name the field “donottellanyone” or something.