[OpenID] authentication spoofing security challenge
Rowan Kerr
rowan at standardinteractive.com
Fri Dec 22 20:31:43 UTC 2006
On 12/22/06, David Nicol <davidnicol at gmail.com> wrote:
> The discusssion in
> http://digg.com/programming/OpenID_is_growing_in_momentum
> includes the following challenge:
>
> > ok.. not to be a complete egomaniac here, really, but my openid is gavinengel.com (points to > Vox id provider, and no I did not have to use any extra code like people keep referring to)
> > I'm very interested if anyone can post with my id on any livejournal page. I seriously doubt you > could, I have as much faith in this authentication as I do in the best of them.
If he had set LiveJournal to "always trust" (or similar), and you
leave a comment on LiveJournal, and he was currently logged in on Vox,
and LiveJournal made a Direct request for authentication (avoiding
knowing a difference in IPs between his session and the attacker) ...
would it not possibly post the comment as him?
-Rowan
More information about the general
mailing list