CRM Extension: Request signature not unique


#1

Hi,

I have noticed that the request signatures are not unique if the feed is reloaded for the customer.

E.g.

User views contact, CRM extension loads feed URL, X-Request-Signature = 256aa9c2821e03ec717738c4c3e5e12a810d54c2a5b29443444e070bfe53f163.

User clicks CRM extension settings, settings iframe loaded, user closes iframe, CRM extension loads feed URL, X-Request-Signature = 256aa9c2821e03ec717738c4c3e5e12a810d54c2a5b29443444e070bfe53f163.

Could we not append a uid/uuid to the end of the feed URL to prevent duplicate X-Request-Signatures or have I missed something?

Thanks


#2

Hi @arbme

The way our signatures are currently created, they are susceptible to replay attacks. Two requests to the same app for the same data are not unique because all of the input is the same in each request (secret, method, uri, data). That part is currently expected, but it does mean that an eavesdropper could intercept the request and then later on use it to spoof verification. If that eavesdropper makes the exact same request to get data from the app and provides the exact same signature it will be indistinguishable from a HubSpot request.

We're currently working on an updated signature structure that will roll out as a part of some new platform changes. This scheme includes a timestamp component, making the signature more secure. This change is not backwards compatible with our current X-HubSpot-Signature scheme, but we will migrate the CRM Extensions API to this new platform at some point, with a grace period where both schemes are supported. Stay tuned to the Platform Changelog for more details on this.