From 14a4918554568883933f63c0439f0bc0db3c3705 Mon Sep 17 00:00:00 2001 From: David Prothero Date: Tue, 21 Feb 2023 09:01:56 -0800 Subject: [PATCH] Correct the security vulnerability language The secret is used to sign the webhook so you can verify the signature to ensure you know the webhook came from GitHub. If an attacker were to learn or guess the secret, they would be able to create fake events and sign them with the same secret, so you would think they came from GitHub. They would not, however, get access to receive your webhooks. --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 5df97d8..1ed4e35 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ You can specify a secret value when subscribing to receive webhook events. Keep Don't just enter your "default password" as the secret, use some random value, unrelated text, or best of all: [a hashed value](https://emn178.github.io/online-tools/sha256.html). -> If anyone guesses your secret, they can also subscribe to your webhook events! +> If anyone learns or guesses your secret, they can send fake webhook events! ## Usage @@ -30,4 +30,4 @@ Command | Description `/dbg-add [secret] [previews]` | Subscribe the current channel to the repo webhook events. Optionally takes a secret. Optionally enable link previews. `/dbg-remove ` | Unsubscribe the current channel from the repo webhook events. -> Previews will not display if your repo is set to private. \ No newline at end of file +> Previews will not display if your repo is set to private.