OpenID homesite authorization spoofed

[Alaric Dailey]

This demonstration only shows how easily the system can be duped, ruining
any reliability.  DNS poisoning would make the situation worse, but given a
little creativity and time, I am sure I could conceive a way to break it in
other ways.

The interesting thing about what we did is, we don't even need to have the
user invovled in the attack, fake our user, and use the faked login anywhere
that uses openID. I don't need to poison the well, I can use a very specific
attack against one person. Very useful if I wanted to do something as simple
as spam a whole bunch of blogs to get them in trouble.


Even more interesting, is the site that believed the spoof is the site that
WAS spoofed. Sounds REALLY bad to me, for if the site that is being spoofed
can't detect it, what chance does an RP site have?




-----Original Message-----
From: David Nicol [mailto:davidnicol at gmail.com] 
Sent: Sunday, October 22, 2006 11:42 PM
To: Dick Hardt
Cc: Alaric Dailey; general at openid.net
Subject: Re: OpenID homesite authorization spoofed

On 10/22/06, Dick Hardt <dick at sxip.com> wrote:
> Alaric:
>
> 1) details on the attack would be greatly appreciated
>
> 2) the "digital drivers license" is a little ways off.  We are still 
> taking baby steps. OpenID Authentication does not do anything more 
> then prove you were the same entity that was at RP previously. The 
> same functionality of a username and password.
>
> -- Dick

>From reading this thread I understand that by using dns spoofing it is
possible -- If I can write to your /etc/hosts file it is possible -- to
pretend to be you in terms of OpenID Authentication, the openID equivalent
of modifying a target's getty or sshd binary to collect credentials.

That certainly isn't anything to catastrophize about in my opinion.

--
The Country Of The Blind, by H.G. Wells
http://cronos.advenge.com/pc/Wells/p528.html