An online webhook API I have started using uses HMAC to verify the authenticity of the HTTP POST request.
From my understanding you can only verify the contents of the body of the request if you have the secret key (which was supplied to the service originally).
However, the secret key is included in the JSON data in the body of the request itself.
Is this still reliable? Couldn't a man-in-the-middle read the key, then change the POST contents, recalculate the HASH using the key and change the header as well before forwarding the data? Or am I totally on the wrong track here?
It isn't secure - I let the owners of the API know and they concur and are fixing the issue asap.