[OpenID] Fwd: OpenID Spoofing

Martin Atkins mart at degeneration.co.uk
Fri Jan 12 07:56:58 UTC 2007

ydnar wrote:
> You could visit a malicious site that spoofs your IDP, trolling for  
> login info:
> 1. Visit site Foo and attempt to log in using OpenID.
> 2. Site Foo notices you input a LiveJournal URL, and sends you to a  
> spoofed LJ login page.
> 3. You enter your LJ credentials and are redirected back to site Foo.  
> The spoof site now has your LJ credentials.

I think we're already pretty aware of the OP "phishing" attack. The best 
solution for now is browser extensions that allow the user to 
unambiguously check to see if the current site is their OP. I understand 
that there's currently an experimental Firefox extension out there for 
doing exactly that, though off the top of my head I can't remember the 
name of it.

Obviously better solutions would be nice moving forward, but I don't 
think we're in that bad a place right now.

More information about the general mailing list