> We are reaching out to inform you of an important update requirement for the Microsoft.Identity.Client package referenced in your project.
> A previous version of this package contained a typo in a comment URL that inadvertently pointed to a typo squatting phishing site:
> hXXps[:]//login[.]microsfoftonline[.]com/common
I feel like actions were ~justified. Even if this is not on an authentication hot path. There is a perception around the .NET ecosystem that has to be maintained. Waiting for a package owner to respond could take a really long time.
> We figured this was probably a nothing-burger and went about our business.
QED
Aaronontheweb•7mo ago
To be fair, that's because their own Azure.Identity org hadn't even shipped an update addressing this vulnerability and they work in the same building.
bob1029•7mo ago
> A previous version of this package contained a typo in a comment URL that inadvertently pointed to a typo squatting phishing site:
> hXXps[:]//login[.]microsfoftonline[.]com/common
I feel like actions were ~justified. Even if this is not on an authentication hot path. There is a perception around the .NET ecosystem that has to be maintained. Waiting for a package owner to respond could take a really long time.
> We figured this was probably a nothing-burger and went about our business.
QED
Aaronontheweb•7mo ago