Skip to main content
Question

Webhooks security

paleloser
Forum|alt.badge.img+12

According to the current Webhooks Events API documentation, only the client authenticates to Strava upon subscription registration/check, with the API client_id and client_secret.

This is great but IMO insufficent, as both parties should somehow be authenticated. In other words, Strava should authenticate with the Webhook suscriptor. The way is done at the moment, an attacker could impersonate Strava's API sending fake event data to the client's endpoint. The only way the client could defend from this would be checking whether if the subscription ID matches or not. But this is neither proposed as a security measure in the documentation site, or implicit within the process (it's something that the clients would need to implement ad-hoc). Moreover, since the subscription_id field is integer, it could be pretty easy for an attacker to guess the right value.

Is there any other way of dealing with this that you could suggest?

Thanks in advance.

    Jan_Mantau
    K
    E
    6 people like this
    • Jan_Mantau
      Jan_Mantau
    • K
      kpowe95
    • E
      erha
    • S
      sjednac
    • R
      runfor
    • M
      Mars_sm

    4 replies

    A
    • Anonymous
    • 0 replies
    • June 29, 2023

    Hello everyone.

    I have the same security problem regarding the Strava webhook, I consider the "subscription Id" check insufficient.

    Only include the hub.verify_token in the GET method (when it would also be necessary in the POST method).

    I would need an answer please to know if there is another way to secure (because there is nothing like that in the official documents) the webhook.

    Regards.

    paleloser
    R
    2 people like this
    • paleloser
      paleloser
    • R
      runfor
    C
    Forum|alt.badge.img+3
    • crm86
    • Hub Rookie
    • 2 replies
    • July 20, 2023

    It is only you and Strava that can (should) know the subscription_id. You could do an additional check to verify that the request origin is coming from Strava. Otherwise, you can valid the individual events, and add rate limiting to mitigate ddos attempts.

    Jan_Mantau
    Superuser
    Forum|alt.badge.img+26
    • Jan_Mantau
    • Superuser
    • 930 replies
    • August 10, 2023

    It's funny that we have to use the complicated oauth workflow for authentification and authorization but Strava wants to access our systems without any standardized authentication. That prevents me from using webhooks at all.

    paleloser
    R
    2 people like this
    • paleloser
      paleloser
    • R
      runfor
    optimisticprom
    Forum|alt.badge.img+18

    Reviving this conversation because this is actually a fairly big concern.

    As mentioned, the hub.verify_token is only used once, at the time Strava verifies the webhook endpoint. Why isn’t this parameter included in all calls from the Strava webhook?

    Or, even better would be a security header with credentials included along with the Client ID and Secret for the app.

    Looking through the rest of the Community Hub, it looks like the most common method of verification is whitelisting IPs, but even that seems to be too fluid to be reliable long term.

    I'll see you at the top!

    Reply


    Most helpful members this week

    Terms & ConditionsCookie settings

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept, you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings