{"id":8842,"date":"2019-01-25T10:00:46","date_gmt":"2019-01-24T23:00:46","guid":{"rendered":"https:\/\/developers.messagemedia.com\/?p=1386"},"modified":"2019-01-25T10:00:46","modified_gmt":"2019-01-24T23:00:46","slug":"why-your-business-needs-enterprise-webhooks","status":"publish","type":"blog","link":"https:\/\/messagemedia.com\/au\/blog\/why-your-business-needs-enterprise-webhooks\/","title":{"rendered":"Why your business needs Enterprise Webhooks"},"content":{"rendered":"

Gone are the days of polling APIs for data, thanks to instant notification mechanisms known as webhooks.\u00a0At MessageMedia, we love webhooks because they allow you to access data in real-time. For example, webhooks enable you to receive notifications when messages are delivered via the Messaging API. While being incredibly powerful and efficient, webhooks may create some dangerous security vulnerabilities in your application if not taken care of properly.<\/p>\n

Just last year, GDPR came into being, Google (Chrome) started calling out non-HTTPs compliant sites and the mandatory data breach notification commenced. This sudden tightening of security shouldn\u2019t come off as surprising. In 2018 H1 alone, the number of data breaches in the United States amounted to 668 with over 22 million records exposed<\/a>. What were the consequences you ask? Damage to reputation, loss of data and countless financial troubles to fix the breaches. Equifax\u2019s financial breach back in 2017<\/a> is estimated to cost them around US$600 million. Security is clearly not a matter to be taken lightly.<\/p>\n

If you’ve already read about\u00a0secure webhooks, you’ll know that generic webhooks create a virtual “door” into your system which can easily be exploited to send malicious data to your system.\u00a0It\u2019s important to protect your data by ensuring information is coming from verified sources and therefore, protecting against unwanted data from entering your application. While there are steps you can take to secure your webhooks, companies with sensitive data may wish for further protection.<\/p>\n

At MessageMedia we believe security should never be compromised which is why we\u2019ve built Enterprise Webhooks. In this blog post, we\u2019ll be talking about how you\u2019re vulnerable to breaches and how Enterprise Webhooks ensures the security of your application.<\/p>\n

Life without Enteprise Webhooks<\/h3>\n

If your system is exchanging data with an external API then chances are you are using webhooks. But what if an outside party knows the URL through which the external API is using to communicate with your application? Let\u2019s say you\u2019re working in a bank and every transaction needs to be sent to the URL<\/p>\n

https:\/\/mynotsosecurebank.com\/transaction<\/a><\/pre>\n
where it\u2019s processed. So, if you wanted to transfer $1000 to your savings account, the payload sent to the URL would look like this:<\/p>\n
{\n\u201cname\u201d: \u201cIbrahim Tareq\u201d,\n\u201csender_account_no\u201d: \u201c1234 1234\u201d,\n\u201camount\u201d: \u201c1000\u201d,\n\u201creceiver_account_no\u201d: \u201c5678 5678\u201d\n}<\/pre>\n
Now if I\u2019m a disgruntled ex-employee, I can send a fake payload to<\/p>\n
https:\/\/mynotsosecurebank.com\/transaction<\/a><\/pre>\n
which might look like this:<\/p>\n
{\n\u201cname\u201d: \u201cIbrahim Tareq\u201d,\n\u201csender_account_no\u201d: \u201c1234 1234\u201d,\n\u201camount\u201d: \u201c1000\u201d,\n\u201creceiver_account_no\u201d: \u201c9010 9010<\/strong>\u201d\n}<\/pre>\n
Notice how it looks exactly the same as the genuine payload. What\u2019s going to happen now is the system is going to process the data and transfer $1000 from your account to mine. Now that\u2019s just me playing nice but an actual hacker could potentially transfer hundreds of thousands of dollars from your account. And it doesn\u2019t stop there.<\/p>\n
Let\u2019s take a look at another example. Picture yourself working at the taxation office in the department where you\u2019re responsible for paying out tax returns to the hardworking citizens of the country. The core application used to perform the calculations and do the heavy lifting is integrated with an external API and they\u2019re using webhooks to communicate with each other. The taxation office is a little smarter than the bank so what they\u2019ve asked the external API team to append a shared secret to the URL. So rather than looking like this<\/p>\n
 https:\/\/mykindofsecuretaxoffice.com\/return<\/a><\/pre>\n
it looks like this<\/p>\n
 https:\/\/mykindofsecuretaxoffice.com\/return?secret=a^dajsd!cm<\/a><\/pre>\n
The purpose of having this shared secret is now the taxation office\u2019s application can verify and know that the URL from which it receives data MUST have the shared secret appended to it or else it\u2019s not authentic. That\u2019s great but does it secure your application? Debatable. Since the shared secret will remain the same each time data is exchanged, this means that if anyone manages to intercept the payload (MITM attack<\/a>), they\u2019ll get their hands on the shared secret which means they can start sending fake payloads to your system. You can imagine the amount of damage that can be done to the taxation office if such a scenario were to ever occur.<\/p>\n
Life with Enterprise Webhooks<\/strong><\/h3>\n
Enable Enterprise Webhooks and you can forget about having to worry about any of the above scenarios. Once enabled, each and every webhook sent by MessageMedia will be signed. In the first banking scenario, this means that unless the webhook data returned to the bank is NOT signed, the transaction will not be processed by the system. Think of Enterprise Webhooks as a guard that stands at the \u201cdoor\u201d of your application and each time a delivery comes through, it checks to ensure it\u2019s coming from the right sender. Here\u2019s a simplified example of what a signed webhook would look like:<\/p>\n
X-MESSAGEMEDIA-SIGNATURE: YdhajTA1p68BrxtWq0hvupEQxA4eliL2rA0t\n{\n\u201cname\u201d: \u201cIbrahim Tareq\u201d,\n\u201csender_account_no\u201d: \u201c1234 1234\u201d,\n\u201camount\u201d: \u201c1000\u201d,\n\u201creceiver_account_no\u201d: \u201c9010 9010<\/strong>\u201d\n}<\/pre>\n
The X-MESSAGEMEDIA-SIGNATURE is an additional header that\u2019s added to all webhooks. There are also other headers that are added but I\u2019ve left them out to keep this blog post simple and easy to understand. Each and every webhook will have a unique signature that can ONLY be decrypted or \u201cunlocked\u201d using a key that is associated with your account. This means that even if someone manages to successfully launch a MITM attack, they won\u2019t be able to view the content of the message as it\u2019s encrypted. Can they decrypt it? No, as they won\u2019t have the key that\u2019s required to do so.<\/p>\n
As the saying goes, you can never be too careful. Cause if you aren’t you might be the victim of a security breach, having to face the wrath of angry customers and spending thousands, if not more, trying to cover up the costs of the breach. Webhooks albeit being incredibly useful and effective aren’t quite secure especially for government organisations and banks. But now using Enterprise Webhooks, you can close that gap and ensure your application is less-prone to security breaches.<\/p>\n","protected":false},"author":0,"featured_media":8934,"menu_order":204,"template":"page-blog-v2.php","meta":{"_acf_changed":false,"popular":false,"coming_soon":false,"link":"","footnotes":""},"blog_category":[37],"class_list":["post-8842","blog","type-blog","status-publish","has-post-thumbnail","hentry","blog_category-developers"],"acf":[],"yoast_head":"\nWhy your business needs Enterprise Webhooks - Sinch MessageMedia Australia<\/title>\n<meta name=\"description\" content=\"Gone are the days of polling APIs for data, thanks to instant notification mechanisms known as webhooks. Australia\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/messagemedia.com\/au\/blog\/why-your-business-needs-enterprise-webhooks\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Why your business needs Enterprise Webhooks - Sinch MessageMedia\" \/>\n<meta property=\"og:description\" content=\"Gone are the days of polling APIs for data, thanks to instant notification mechanisms known as webhooks.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/messagemedia.com\/au\/blog\/why-your-business-needs-enterprise-webhooks\/\" \/>\n<meta property=\"og:site_name\" content=\"Sinch MessageMedia\" \/>\n<meta property=\"og:image\" content=\"https:\/\/messagemedia.com\/wp-content\/uploads\/2019\/01\/access-black-and-white-blur-270514-scaled-e1591849185390.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"325\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/messagemedia.com\\\/au\\\/blog\\\/why-your-business-needs-enterprise-webhooks\\\/\",\"url\":\"https:\\\/\\\/messagemedia.com\\\/au\\\/blog\\\/why-your-business-needs-enterprise-webhooks\\\/\",\"name\":\"Why your business needs Enterprise Webhooks - Sinch MessageMedia\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/messagemedia.com\\\/au\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/messagemedia.com\\\/au\\\/blog\\\/why-your-business-needs-enterprise-webhooks\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/messagemedia.com\\\/au\\\/blog\\\/why-your-business-needs-enterprise-webhooks\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/messagemedia.com\\\/wp-content\\\/uploads\\\/2019\\\/01\\\/access-black-and-white-blur-270514-scaled-e1591849185390.jpg\",\"datePublished\":\"2019-01-24T23:00:46+00:00\",\"description\":\"Gone are the days of polling APIs for data, thanks to instant notification mechanisms known as webhooks.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/messagemedia.com\\\/au\\\/blog\\\/why-your-business-needs-enterprise-webhooks\\\/#breadcrumb\"},\"inLanguage\":\"en-AU\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/messagemedia.com\\\/au\\\/blog\\\/why-your-business-needs-enterprise-webhooks\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\\\/\\\/messagemedia.com\\\/au\\\/blog\\\/why-your-business-needs-enterprise-webhooks\\\/#primaryimage\",\"url\":\"https:\\\/\\\/messagemedia.com\\\/wp-content\\\/uploads\\\/2019\\\/01\\\/access-black-and-white-blur-270514-scaled-e1591849185390.jpg\",\"contentUrl\":\"https:\\\/\\\/messagemedia.com\\\/wp-content\\\/uploads\\\/2019\\\/01\\\/access-black-and-white-blur-270514-scaled-e1591849185390.jpg\",\"width\":1024,\"height\":325,\"caption\":\"access black and white blur 270514 scaled e1591849185390\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/messagemedia.com\\\/au\\\/blog\\\/why-your-business-needs-enterprise-webhooks\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/messagemedia.com\\\/au\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Blog\",\"item\":\"https:\\\/\\\/messagemedia.com\\\/us\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Why your business needs Enterprise Webhooks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/messagemedia.com\\\/au\\\/#website\",\"url\":\"https:\\\/\\\/messagemedia.com\\\/au\\\/\",\"name\":\"Sinch MessageMedia\",\"description\":\"Business SMS & Messaging Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/messagemedia.com\\\/au\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/messagemedia.com\\\/au\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-AU\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/messagemedia.com\\\/au\\\/#organization\",\"name\":\"Sinch MessageMedia\",\"url\":\"https:\\\/\\\/messagemedia.com\\\/au\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\\\/\\\/messagemedia.com\\\/au\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/messagemedia.com\\\/wp-content\\\/uploads\\\/2024\\\/03\\\/logo-mm-sinch.svg\",\"contentUrl\":\"https:\\\/\\\/messagemedia.com\\\/wp-content\\\/uploads\\\/2024\\\/03\\\/logo-mm-sinch.svg\",\"width\":1,\"height\":1,\"caption\":\"Sinch MessageMedia\"},\"image\":{\"@id\":\"https:\\\/\\\/messagemedia.com\\\/au\\\/#\\\/schema\\\/logo\\\/image\\\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Why your business needs Enterprise Webhooks - Sinch MessageMedia Australia","description":"Gone are the days of polling APIs for data, thanks to instant notification mechanisms known as webhooks. Australia","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/messagemedia.com\/au\/blog\/why-your-business-needs-enterprise-webhooks\/","og_locale":"en_US","og_type":"article","og_title":"Why your business needs Enterprise Webhooks - Sinch MessageMedia","og_description":"Gone are the days of polling APIs for data, thanks to instant notification mechanisms known as webhooks.","og_url":"https:\/\/messagemedia.com\/au\/blog\/why-your-business-needs-enterprise-webhooks\/","og_site_name":"Sinch MessageMedia","og_image":[{"width":1024,"height":325,"url":"https:\/\/messagemedia.com\/wp-content\/uploads\/2019\/01\/access-black-and-white-blur-270514-scaled-e1591849185390.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/messagemedia.com\/au\/blog\/why-your-business-needs-enterprise-webhooks\/","url":"https:\/\/messagemedia.com\/au\/blog\/why-your-business-needs-enterprise-webhooks\/","name":"Why your business needs Enterprise Webhooks - Sinch MessageMedia","isPartOf":{"@id":"https:\/\/messagemedia.com\/au\/#website"},"primaryImageOfPage":{"@id":"https:\/\/messagemedia.com\/au\/blog\/why-your-business-needs-enterprise-webhooks\/#primaryimage"},"image":{"@id":"https:\/\/messagemedia.com\/au\/blog\/why-your-business-needs-enterprise-webhooks\/#primaryimage"},"thumbnailUrl":"https:\/\/messagemedia.com\/wp-content\/uploads\/2019\/01\/access-black-and-white-blur-270514-scaled-e1591849185390.jpg","datePublished":"2019-01-24T23:00:46+00:00","description":"Gone are the days of polling APIs for data, thanks to instant notification mechanisms known as webhooks.","breadcrumb":{"@id":"https:\/\/messagemedia.com\/au\/blog\/why-your-business-needs-enterprise-webhooks\/#breadcrumb"},"inLanguage":"en-AU","potentialAction":[{"@type":"ReadAction","target":["https:\/\/messagemedia.com\/au\/blog\/why-your-business-needs-enterprise-webhooks\/"]}]},{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/messagemedia.com\/au\/blog\/why-your-business-needs-enterprise-webhooks\/#primaryimage","url":"https:\/\/messagemedia.com\/wp-content\/uploads\/2019\/01\/access-black-and-white-blur-270514-scaled-e1591849185390.jpg","contentUrl":"https:\/\/messagemedia.com\/wp-content\/uploads\/2019\/01\/access-black-and-white-blur-270514-scaled-e1591849185390.jpg","width":1024,"height":325,"caption":"access black and white blur 270514 scaled e1591849185390"},{"@type":"BreadcrumbList","@id":"https:\/\/messagemedia.com\/au\/blog\/why-your-business-needs-enterprise-webhooks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/messagemedia.com\/au\/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https:\/\/messagemedia.com\/us\/blog\/"},{"@type":"ListItem","position":3,"name":"Why your business needs Enterprise Webhooks"}]},{"@type":"WebSite","@id":"https:\/\/messagemedia.com\/au\/#website","url":"https:\/\/messagemedia.com\/au\/","name":"Sinch MessageMedia","description":"Business SMS & Messaging Platform","publisher":{"@id":"https:\/\/messagemedia.com\/au\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/messagemedia.com\/au\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-AU"},{"@type":"Organization","@id":"https:\/\/messagemedia.com\/au\/#organization","name":"Sinch MessageMedia","url":"https:\/\/messagemedia.com\/au\/","logo":{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/messagemedia.com\/au\/#\/schema\/logo\/image\/","url":"https:\/\/messagemedia.com\/wp-content\/uploads\/2024\/03\/logo-mm-sinch.svg","contentUrl":"https:\/\/messagemedia.com\/wp-content\/uploads\/2024\/03\/logo-mm-sinch.svg","width":1,"height":1,"caption":"Sinch MessageMedia"},"image":{"@id":"https:\/\/messagemedia.com\/au\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/messagemedia.com\/au\/wp-json\/wp\/v2\/blog\/8842","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/messagemedia.com\/au\/wp-json\/wp\/v2\/blog"}],"about":[{"href":"https:\/\/messagemedia.com\/au\/wp-json\/wp\/v2\/types\/blog"}],"version-history":[{"count":0,"href":"https:\/\/messagemedia.com\/au\/wp-json\/wp\/v2\/blog\/8842\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/messagemedia.com\/au\/wp-json\/wp\/v2\/media\/8934"}],"wp:attachment":[{"href":"https:\/\/messagemedia.com\/au\/wp-json\/wp\/v2\/media?parent=8842"}],"wp:term":[{"taxonomy":"blog_category","embeddable":true,"href":"https:\/\/messagemedia.com\/au\/wp-json\/wp\/v2\/blog_category?post=8842"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}