[security] MyOpenID

Paul C. Bryan email at pbryan.net
Wed Mar 21 10:50:47 PDT 2007

On Wed, 2007-03-21 at 13:33 +0000, gaz_sec at hushmail.com wrote:

> 1. First of all if you sign into a OpenID server in this case
> (MyOpenID.com) then logon to an OpenID enabled site like
> (http://ficlets.com/) then sign out of the OpenID enabled site. It
> is possible to log them back onto the site from any remote web site.

Presumably, this is true only:

a) as long as I am still logged into the OpenID provider,
b) the remote site knows the OpenID login URL of the client site.

Correct? The risk here is that I would have a session with the client
site without explicitly asking for it?

> 2. The second problem is more serious you can create a specially
> crafted web page to automatically log on to a web site and also add
> that web site to the allow forever trusted site. The only
> requirement is that you have to be logged onto the OpenID server.

This case I don't understand well. If the provider prevents replay
attacks of trust dialogs with the user (e.g. nonce in form) and requires
the request to come from the user agent with a valid session, how could
a remote site establish such permanent trust?

> Both cases can be prevented if the OpenID specification requires
> authorisation regardless of a cached token.

I think the second case already requires authorization by the user.
Properly developed providers should ask for the user to grant trust to
the consumer site, and not be susceptible to crafted requests to bypass
user dialog.


More information about the security mailing list