[OpenID] Fwd: OpenID Spoofing

Claus Färber gmane at faerber.muc.de
Tue Jan 16 15:48:30 UTC 2007


Paul Madsen schrieb:
> The phisher doesn't need the seal, it lets the valid IDP send the code 
> to the user with the seal. The MITM would only need the seal if it were 
> to try to send the email itself,

If the user does not paste anything into the web page but just follows 
the link sent via email (or IM), the MITM would not get the code.

Claus




More information about the general mailing list