Comment by kstrauser
8 hours ago
My understanding is this is exactly how Vercel works. The users hadn’t checked the “don’t ever reveal, even to me” box next to the sensitive values. If they had, the attacker would only have been able to see the names of the variables and not their values.
Ah. The article has since been updated to point out that it’s not plaintext, but encrypted at rest (which would be expected). OK.