The length extension attack leverages the weakness that people think HASH(secret + message) is a signature only they can create as long as only they know "secret".