Asana Desktop Application Includes Personal Access Token

Summary by Asana

@lauritz discovered sensitive credentials bundled in our Asana Desktop for Mac application. Within hours of @lauritz's report, we revoked and rotated the credentials on our end. Following that we determined the root cause and in the subsequent days deployed mitigations and improved our build process to prevent similar issues in the future. Thanks @lauritz!

Summary by lauritz

Please find a detailed write-up on my blog: https://security.lauritz-holtmann.de/advisories/asana-desktop-credential-disclosure/.

Feel free to contact me on Twitter in case you have any comments or questions: @_lauritz_.

Activity