[OpenID] Possible Phishing solution?

Nic James Ferrier nferrier at tapsellferrier.co.uk
Mon Mar 5 17:18:09 UTC 2007


"Brian Suda" <brian.suda at gmail.com> writes:

> Part of the issue around phishing (or as i understand it) is that i go
> to a site and instead of redirecting me to my ACTUAL openID provider,
> it scraps the HTML of my provider and then presents that page slightly
> re-written to POST the data to their servers and capture my Username
> and Password.
>
> This is not ideal, but what if the login form was built via some AJAX?
> then when the evil man-in-the-middle scraps the HTML of the openID
> provider and re-presents it, the AJAX calls to build the form will
> fail because now it is cross-domain calls and the security model does
> not allow for this?
>
> Is this a possible solution or would the evil site just scrap that JS
> file too and manage to build the form from AJAX no matter what?

Yes.


-- 
Nic Ferrier
----------------------------------------------------------
Need a linux/java/python/web hacker?  I'm in need of work!
----------------------------------------------------------
http://www.tapsellferrier.co.uk   



More information about the general mailing list