[OpenID] Fwd: OpenID Spoofing

Dick Hardt dick at sxip.com
Fri Jan 12 08:08:48 UTC 2007


On 11-Jan-07, at 11:56 PM, Martin Atkins wrote:

> ydnar wrote:
>> You could visit a malicious site that spoofs your IDP, trolling for
>> login info:
>>
>> 1. Visit site Foo and attempt to log in using OpenID.
>> 2. Site Foo notices you input a LiveJournal URL, and sends you to a
>> spoofed LJ login page.
>> 3. You enter your LJ credentials and are redirected back to site Foo.
>> The spoof site now has your LJ credentials.
>>
>
> I think we're already pretty aware of the OP "phishing" attack. The  
> best
> solution for now is browser extensions that allow the user to
> unambiguously check to see if the current site is their OP. I  
> understand
> that there's currently an experimental Firefox extension out there for
> doing exactly that, though off the top of my head I can't remember the
> name of it.

Sxipper? ;-) http://www.sxipper.com

(there has been heavy discussion of this topic on the Identity Gang  
list over the past few days)

-- Dick




More information about the general mailing list