Length extension attack

In cryptography and computer security, a length extension attack is a type of attack where an attacker can use Hash(message₁) and the length of message₁ to calculate Hash(message₁ ∥ message₂) for an attacker-controlled message₂. This attack can be used to sign a message when a Merkle–Damgård based hash is misused as a message authentication code, allowing for inclusion of extra information.

This attack can be done on hashes with construction H(secret ∥ message) when message and the length of secret is known. Algorithms like MD5, SHA-1, and SHA-2 that are based on the Merkle–Damgård construction are susceptible to this kind of attack. Note that since HMAC doesn't use the construction H(key ∥ message), HMAC hashes are not prone to length extension attacks. The SHA-3 algorithm is not susceptible to this attack.

The vulnerable hashing functions work by taking the input message, and using it to transform an internal state. After all of the input has been processed, the hash digest is generated by outputting the internal state of the function. It is possible to reconstruct the internal state from the hash digest, which can then be used to process the new data. In this way one may extend the message and compute the hash that is a valid signature for the new message.

A server for delivering waffles of a specified type to a specific user at a location could be implemented to handle requests of the given format:

The server would perform the request given (to deliver a waffle of type eggo to the given location for user 1) only if the signature is valid for the user. The signature used here is a MAC, signed with a key not known to the attacker. (This example is also vulnerable to a replay attack, by sending the same request and signature a second time.)

...
Wikipedia