comp527

Some security researchers have published an article detailing a vulnerability in the Flickr API that allows an attacker to forge requests on behalf of third-party applications. It’s very simple, and based on the fact that signed API calls are constructed in a dumb manner: If the function call is f(a=1,b=2,c=3) and the secret shared key is DONUTS, then the application computes md5(DONUTS || a1b2c3)=<hash> and appends the argument value api_sig=<hash>. This is bad for a couple of reasons:

• There are no delimiters to separate the argument names from values, so the signature is the same if you have (for example) the argument/value pairs a1b=2, c=3.
• More importantly, this is NOT the right way to compute a MAC. This scheme uses hash(secret || message). Instead, the standard way to do this (the HMAC spec) is hash(secret || hash(secret || message)).

Using this design flaw, plus a length-extension attack on md5 which has been around since prehistoric times, an attacker who obtains a single signed API call can generate arbitrary calls from that API key without having the secret. The authors also list a few malicious ways to abuse this.

Interestingly, Facebook uses a very similar scheme but appends the secret to the end rather than the beginning. This prevents this length-extension attack from working but may still be open to other MAC attacks.

Check out the paper; it’s short and very easy to understand.

Today a fellow named Jeff Moser posted a neat guide to understanding AES using stick figures. It’s pretty excellent (i.e. humorous) and goes into a lot of the gritty details as well. He also has a project on GitHub with a well-commented sample (read: not for real use) implementation to go with the illustrations.