Posted by Scott Arciszewski on Oct 30

Yes, you’re absolutely right. When I said it’s “almost the ideal situation”
I probably should have clarified what I meant.

I meant to say that in both WP-API’s code and in textbook examples of hash
constructs specifically vulnerable to length extension attacks involve
concatenating the data you are intending to authenticate with a
cryptographic secret. While their particular order is not known (to me,
anyway) to be as…