OpenID homesite authorization spoofed
Josh Hoyt
josh at janrain.com
Mon Oct 23 20:41:49 UTC 2006
On 10/22/06, Alaric Dailey <alaricdailey at hotmail.com> wrote:
> With my consent, Eddy has successfully spoofed openID using a server on his
> internal network and then successfully used that log onto my openid account
> at myopenid.com.
After getting a little more information, I'm pretty certain that
myopenid.com has not allowed unauthorized access. Note that
myopenid.com does not act as a relying party, so breaking the protocol
should not prevent a user from having to show their appropriate
credentials to access their myopenid.com accounts.
If I understand the attack:
1. Set up a target site to act as the rogue IdP and an identifier that
lists that IdP as authoritative.
3. Make name resolution *on the relying party* return the address of
the server with the compromised identifier.
4. Begin authentication on any user agent by entering the compromised
identifier into the login form on the IdP
5. Successfully redirect to the IdP and approve authentication
6. The relying party has accepted the compromised identifier without
contacting the *real* authoritative IdP.
Is this the attack that you're describing?
Josh
More information about the general
mailing list