OpenID homesite authorization spoofed
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Mon Oct 23 21:13:39 UTC 2006
Let me answer than one....
Josh Hoyt wrote:
>
> After getting a little more information, I'm pretty certain that
> myopenid.com has not allowed unauthorized access.
Yes, it is most likely, that in fact this wasn't the case. Perhaps with
a little but more investment - and the fact, that myopenid.com operates
in http mode (i.e. unsecured) - we could have put the missing piece
together in order to allow it. Therefore as of now, I think, that the
myopenid authorization was spoofed, but not used at an RP and therefore
not succeeded. However I didn't checked this out and guess, it requires
just more time to do it actually...The myopnid site was obviously not
involved at all...
However, this doesn't mean, that it wouldn't have been possible, because
of fact, the site speaks plain text and therefore my reasoning to
require https is still valid. The investment to succeed would have been
somewhat higher and perhaps more than the 15 minutes I invested in it. A
determined hacker would probable succeed with a little more investment.
> Note that
> myopenid.com does not act as a relying party, so breaking the protocol
> should not prevent a user from having to show their appropriate
> credentials to access their myopenid.com accounts.
>
Now in the steps below, this is one of the options: DNS poisoning of the
RP would have done the trick or sniffing of the shared secret of the
real IDP would have been even easier, I guess...
> If I understand the attack:
>
> 1. Set up a target site to act as the rogue IdP and an identifier that
> lists that IdP as authoritative.
>
> 3. Make name resolution *on the relying party* return the address of
> the server with the compromised identifier.
>
> 4. Begin authentication on any user agent by entering the compromised
> identifier into the login form on the IdP
>
> 5. Successfully redirect to the IdP and approve authentication
>
> 6. The relying party has accepted the compromised identifier without
> contacting the *real* authoritative IdP.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061023/f82ea485/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eddy_nigg.vcf
Type: text/x-vcard
Size: 636 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061023/f82ea485/attachment-0002.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7282 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061023/f82ea485/attachment-0002.bin>
More information about the general
mailing list