Django-Anymail prone to a timing attack

The core of this vulnerability lies in the implementation of webhook authorization within django-anymail. The WEBHOOK_AUTHORIZATION secret, intended to verify the authenticity of incoming webhook requests (used for tracking email opens and clicks), is susceptible to a timing attack. An attacker can repeatedly send requests with different secret values, observing the response times to deduce the correct secret. Once the secret is obtained, the attacker can forge webhook requests, potentially injecting malicious tracking pixels or altering tracking data to appear as if emails were opened or clicked by specific users. This could lead to inaccurate analytics, phishing campaigns disguised as legitimate emails, and reputational damage.

Organizations using django-anymail for email sending and tracking, particularly those relying on webhook integrations for analytics or automation, are at risk. Specifically, deployments using older versions (≤1.2.1) and those with less stringent security practices around webhook authentication are most vulnerable.

• python / server:

import requests
import time

def test_webhook_auth(url, secret):
    start_time = time.time()
    try:
        requests.post(url, headers={'Authorization': f'Bearer {secret}'})
        end_time = time.time()
        return end_time - start_time
    except requests.exceptions.HTTPError as e:
        return -1 # Indicate failure

# Example usage (replace with actual URL and secret)
webhook_url = 'http://your-django-anymail-server/webhooks/your_endpoint/'

# Try a few incorrect secrets and measure response times
for i in range(5):
    test_secret = f'incorrect_secret_{i}'
    response_time = test_webhook_auth(webhook_url, test_secret)
    if response_time > 0:
        print(f'Secret {test_secret}: Response time = {response_time:.4f} seconds')
    else:
        print(f'Secret {test_secret}: Authentication failed')

1. 2018-07-12Disclosure

   disclosure

2. 2018-07-12Patch

   patch

1. 发布日期2018-07-12
2. 修改日期2025-02-16
3. EPSS 更新日期2026-04-02

The primary mitigation for CVE-2018-6596 is to upgrade to django-anymail version 1.2.1 or later, which includes a fix for the timing attack vulnerability. If immediate upgrading is not feasible, consider implementing rate limiting on webhook endpoints to make brute-force attacks more difficult. Additionally, carefully review any third-party integrations that rely on email tracking data to ensure their integrity. Implement stricter webhook validation logic if possible, though this is not a substitute for upgrading. After upgrading, confirm the fix by attempting to send a webhook request with an incorrect WEBHOOK_AUTHORIZATION value and verifying that the response time is consistently high, indicating that the secret is properly protected.