[citation needed] The vulnerable hashing functions work by taking the input message, and using it to transform an internal state.
After all of the input has been processed, the hash digest is generated by outputting the internal state of the function.
This can be done by taking advantage of a flexibility in the message format if duplicate content in the query string gives preference to the latter value.
However, with a length extension attack, it is possible to feed the hash (the signature given above) into the state of the hashing function, and continue where the original request had left off, so long as the length of the original request is known.
It is then trivial to initialize a hashing algorithm at that point, input the last few characters, and generate a new digest which can sign his new message without the original key.