[OpenID] Possible Phishing solution?

Brian Suda brian.suda at gmail.com
Mon Mar 5 17:04:49 UTC 2007


Part of the issue around phishing (or as i understand it) is that i go
to a site and instead of redirecting me to my ACTUAL openID provider,
it scraps the HTML of my provider and then presents that page slightly
re-written to POST the data to their servers and capture my Username
and Password.

This is not ideal, but what if the login form was built via some AJAX?
then when the evil man-in-the-middle scraps the HTML of the openID
provider and re-presents it, the AJAX calls to build the form will
fail because now it is cross-domain calls and the security model does
not allow for this?

Is this a possible solution or would the evil site just scrap that JS
file too and manage to build the form from AJAX no matter what?

-brian

-- 
brian suda
http://suda.co.uk



More information about the general mailing list