[OpenID] Fwd: OpenID Spoofing
dick at sxip.com
Fri Jan 12 08:08:48 UTC 2007
On 11-Jan-07, at 11:56 PM, Martin Atkins wrote:
> ydnar wrote:
>> You could visit a malicious site that spoofs your IDP, trolling for
>> login info:
>> 1. Visit site Foo and attempt to log in using OpenID.
>> 2. Site Foo notices you input a LiveJournal URL, and sends you to a
>> spoofed LJ login page.
>> 3. You enter your LJ credentials and are redirected back to site Foo.
>> The spoof site now has your LJ credentials.
> I think we're already pretty aware of the OP "phishing" attack. The
> solution for now is browser extensions that allow the user to
> unambiguously check to see if the current site is their OP. I
> that there's currently an experimental Firefox extension out there for
> doing exactly that, though off the top of my head I can't remember the
> name of it.
Sxipper? ;-) http://www.sxipper.com
(there has been heavy discussion of this topic on the Identity Gang
list over the past few days)
More information about the general