VMware by Broadcom is changing their software download URLs: VCF Authenticated downloads Configuration Update Instructions

I call this authentication theater.

To me this smells like someone had an “unauthenticated API or URI” finding. A junior dev came up with a clever hack, and now here we are with something hasty, kludgy, and insecure. A shared secret?! In the URL?!