[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Formstack Webhook HMAC Advisory
- From: Derrek Bertrand <derrekbertrand AT gmail.com>
- Subject: [FD] Formstack Webhook HMAC Advisory
- Date: Wed, 7 Feb 2018 22:47:45 -0500
- Arc-authentication-results: i=1; mx.google.com; dkim=neutral (body hash did not verify) email@example.com header.s=20161025 header.b=lN+1v0fc; spf=pass (google.com: domain of fulldisclosure-bounces AT seclists.org designates 220.127.116.11 as permitted sender) smtp.mailfrom=fulldisclosure-bounces AT seclists.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-unsubscribe:list-id:precedence:subject:to:message-id :date:from:mime-version:dkim-signature:delivered-to :arc-authentication-results; bh=tuGh2whfFsm1sxzpifGU7xNiF2IucZyMP9HkojYETiU=; b=t39ntVd3eCcyV45nVh/MsjpdZBuJLkSgsd7Q5afEzon5clPRz2s4ukUxfmJ4lScxdE eMyFasmtsXsbIhzYenAA+gmJk6WiJqXA9/CeS1yT8uW5PRqx0DEoXvddnEAxcRwXEtma QziT74qAYwmjZ0/FhX//awBS7+TvEFGeU/snPCA05oSUK8UFSiyfOVtpVjBKVN1jG3vt T0FodFHCF2WnzGhUS0P+Idy+HcOFCf9HAbokMdHIN53PoDRKdbOWZoCo+YUBwnb10mtj XKR3dkEt2ZORYi37jk4A3av3NzWN97gJsN8nR3rkV0H9AVuHCX1pMbgwNvfbHGMgS4Ue xsIg==
- Arc-seal: i=1; a=rsa-sha256; t=1518192281; cv=none; d=google.com; s=arc-20160816; b=T9nYY+/tN9pUBTtQ1XcnJxo459JGiDNhcByr9Onj8kJ9KeuYwvWNpkxm0ZveulLvbE a9+tR++bONcyicSFvrLSF2oZAF9T6GlqgV/XsEb2IDiiTmChIKBp+NDzQuInfAOX1NqD zmhyHGU3PSG6DsbvN76B1xUIiJD55+vuGqBTz97LTdeuA2Zi2t+5pw7kwoU8FFWLtTFp J9eu46QA6ld5Vs23z3G/V4sBezHU0m8/G2Mx3O0yXvIsguRs6Qjc7n6nd8BkVXU+JtMn 1inYgzYdXb12cWNTJt57nJBYoTtE35zYPPCzyE8Gb6M3/2NGLQLzEw8CuOlpHBvG1VUc 9n8A==
- Sender: "Fulldisclosure" <fulldisclosure-bounces AT seclists.org>
- To: fulldisclosure AT seclists.org
Formstack Webhook HMAC Advisory
Formstack is a SaaS company with well over half a million users including major
higher education and healthcare companies. They provide a drag-and-drop form
builder that allows their customers to collect all manner of data.
Formstack's outbound webhook implementation fails to not print the HMAC secret
in every request.
Vendor was given 7 days, multiple emails and a simplified solution to a trivial
problem, but failed to show any urgency or understanding of the implications.
Vendor Response (5, 6, 7 days out respectively):
"Thank you for letting us know about this security issue. Do not worry our
Developers Team has placed this in the queue (high priority) to get fixed.
We do not have an estimate yet, but I know that it is going to be reviewed this
week. We will keep in touch with you ans you’ll be the first one to know once we
have the right information to get this issue fixed."
"Your security is our priority and I have referred this case already to our
Developers Team and they are currently working on this security issue. Rest
assured you’ll hear from us regarding the fix for this issue."
"We thank you for your proactiveness. We will get this fix for sure."
Formstack boasts of its security and HIPAA compliance, and customers can collect
sensitive data including credit card information and personal health information
(PHI). When a form is completed it can be HTTP POSTed to a URL, commonly called
a "webhook". To ensure that data posted into Formstack's clients' systems has
originated from Formstack and is not fabricated by an attacker, they pass along
an HMAC SHA of the body content which is found in an HTTP header.
Their implementation has two flaws:
Firstly, the algorithm is also in the header, and they instruct their clients to
pluck the algorithm from there. This allows attackers to choose less secure
Secondly, they print the HMAC secret in every request body. A single intercepted
request renders the entire exercise pointless, as the attacker now has the
shared secret. This has been observed in production, though you need not look
farther than their documentation for PoC:
This humorous oversight has existed for an unknown amount of time.
Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/