[OpenID] Fwd: OpenID Spoofing
Martin Atkins
mart at degeneration.co.uk
Fri Jan 12 07:56:58 UTC 2007
ydnar wrote:
> You could visit a malicious site that spoofs your IDP, trolling for
> login info:
>
> 1. Visit site Foo and attempt to log in using OpenID.
> 2. Site Foo notices you input a LiveJournal URL, and sends you to a
> spoofed LJ login page.
> 3. You enter your LJ credentials and are redirected back to site Foo.
> The spoof site now has your LJ credentials.
>
I think we're already pretty aware of the OP "phishing" attack. The best
solution for now is browser extensions that allow the user to
unambiguously check to see if the current site is their OP. I understand
that there's currently an experimental Firefox extension out there for
doing exactly that, though off the top of my head I can't remember the
name of it.
Obviously better solutions would be nice moving forward, but I don't
think we're in that bad a place right now.
More information about the general
mailing list