Asana Desktop Application Includes Personal Access Token

Disclosed by
  • Program Asana
  • Disclosed date almost 2 years ago
  • Reward $6,100
  • Priority P1 Bugcrowd's VRT priority rating
  • Status Resolved This vulnerability has been accepted and fixed
Summary by Asana

@lauritz discovered sensitive credentials bundled in our Asana Desktop for Mac application. Within hours of @lauritz's report, we revoked and rotated the credentials on our end. Following that we determined the root cause and in the subsequent days deployed mitigations and improved our build process to prevent similar issues in the future. Thanks @lauritz!