[security] MyOpenID

gaz_sec at hushmail.com gaz_sec at hushmail.com
Wed Mar 21 11:58:13 PDT 2007

Hash: SHA1

Hi Paul

>Presumably, this is true only:
>a) as long as I am still logged into the OpenID provider,
>b) the remote site knows the OpenID login URL of the client site.
>Correct? The risk here is that I would have a session with the
>site without explicitly asking for it?

Yes you have to be logged onto the OpenID server and must have
always trust selected for that site. Finding the OpenID login URL
isn't hard ;)


>> 2. The second problem is more serious you can create a specially
>> crafted web page to automatically log on to a web site and also
>> that web site to the allow forever trusted site. The only
>> requirement is that you have to be logged onto the OpenID
>This case I don't understand well. If the provider prevents replay
>attacks of trust dialogs with the user (e.g. nonce in form) and
>the request to come from the user agent with a valid session, how
>a remote site establish such permanent trust?
>> Both cases can be prevented if the OpenID specification requires
>> authorisation regardless of a cached token.
>I think the second case already requires authorization by the
>Properly developed providers should ask for the user to grant
>trust to
>the consumer site, and not be susceptible to crafted requests to
>user dialog.

Actually it is possible to get the token but I can't reveal
anything until the problem has been fixed on the MyOpenID server.
At the moment one browser has the problem but I think it would be
quite easy to produce the same technique for other browsers.

Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5


Click for a free comparison on life insurance policies and save 100's 

More information about the security mailing list