[Openid-specs-ab] Scope Attack

Nat Sakimura sakimura at gmail.com
Thu Apr 21 16:57:37 UTC 2011


I was tweeting with a friend of mine in Japanese about attacker disguising
to be just requesting authentication and a bit more and in fact getting
fairly large access privilege.

For example, let the client request scope=openid%20readwirte saying that
"Please login by clicking this button" or login icon.
The use is redirected to the client and presses OK without reading about
what you are about to give up.
He is just thinking that it is authentication - not a big deal, and only at
a later date that something is massively wrong.

What can we do to mitigate this problem?

Nat Sakimura (=nat)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110422/9c6eed27/attachment.html>

More information about the Openid-specs-ab mailing list