[OpenID] Yahoo hijacking?

Max Metral max at artsalliancelabs.com
Fri Apr 18 18:28:38 PDT 2008


What is the abuse vector here?  I send my user to Yahoo with a valid
OpenID request including return_url and I'm going to trick them when
they click "no I don't want to login" into going to some other site?
Why wouldn't I have just sent them there directly?  Email can be
deceiving, so I don't mean this to be snide, I'm just not sure what the
attack we're protecting against is.

I would expect you would send them to the return URL with an appropriate
error or "non-success" state.  I like to think of authentication as a
function.  I put some args on the stack, I call you, you return where I
tell you with a result.  The current behavior is like when I tell my
kids to put away their plates and they go play Candyland.

-----Original Message-----
From: Allen Tom [mailto:atom at yahoo-inc.com] 
Sent: Friday, April 18, 2008 9:23 PM
To: Max Metral; general at openid.net
Subject: Re: [OpenID] Yahoo hijacking?

Max Metral wrote:
>
> Now I know that I'm overstating the real problem right now, but it's a
> trajectory thing.  In the Yahoo case, the words say "I do not want to
> login" with a back arrow.  That should not take me to www.yahoo.com.
>   

And where should we send the user? The openid.return_to value is not 
necessarily the referrer, and the user has already told us that they 
don't want to sign in.

If OpenID was able to allow us to verify the referrer (meaning that the 
Authentication Requests were signed using a shared secret between the OP

and the RP), then it would be safer to return the user back to the
referrer.

Allen



More information about the general mailing list