Strava Community Hub

Offering additional threat assessment and mitigations in the absence of an IP safelist:

When considering all of the exposed Strava endpoints on my webserver, I don't see any serious threats (other than DOS attacks) except the webhook callback, which needs some special attention:

• Token exchange endpoint (Where you redirect your users after the authorize page).
  • Threat model: This endpoint accepts a token code. The fact that a code exists means the user gave permission; interception is of no value. Moreover, only a legit user will have one that can be exchanged for an access token.
  • Mitigation: Detect a non-success status code from Strava at /oauth/token.
  • Caveats:  You can still get spammed (DDOSed) with bogus codes. Strava might think you are the threat calling /oauth/token too much.
• Callback challenge (with hub_challenge and verify_token).
  • Threat model: Only Strava will have your verify_token.
  • Mitigation: Check the verify_token.
  • Caveats: 
    • You can still get spammed (DDOSed) with bogus codes. There's no call to Strava, so they don't think you are a threat.
    • Your token could be guessed (try until they get an echo back), but it's not of much value. The user will just get their challenge echoed back.
• Webhook callback
  • Threat model:
    • Subscription IDs seem to be issued sequentially, and I am getting IDs less than 250,000, so it's possible someone could scan them linearly and discover yours.
  • Mitigations:
    • Check given subscription_id against your known ID(s).
    • Check owner_id against your known authorized users.

Hope that helps,

Doug