The Webhook::verify
function incorrectly compared signatures of
different lengths - the two signatures would only be compared up to
the length of the shorter signature. This allowed an attacker to
pass in v1,
as the signature, which would always pass verification.
{ "license": "CC0-1.0" }