[OpenID] Questions about Spoofing OpenId
chowells at janrain.com
Tue Jan 23 19:59:15 UTC 2007
David Fuelling wrote:
>> -----Original Message-----
>> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
>> Behalf Of Carl Howells
>> Subject: Re: [OpenID] Questions about Spoofing OpenId
>> Some care has to be
>> taken to make sure that direct cross-linking won't work, but that's not
>> too difficult.
> What do you mean by "direct cross-linking"?
The particular case I was looking at was when the OP does something
silly, like putting the uploaded image at a fixed location, like
http://op.com/uploaded_image, and then adds logic to make that display
something based on the submitted cookie.
That doesn't actually defend against evil proxying, since the URL is
fixed and the browser *will* submit the correct cookie to
http://op.com/uploaded_image, meaning that if the evil proxy just
includes the <img> tag unaltered, they've defeated the attempted security.
The way to handle this is to have each uploaded image at a different
(non-guessable) URL, and have the html rendering process check your
cookies and set the correct URL in the <img> tag. Then, evil proxying
will get the default content, rather than user-uploaded content.
(reply to general at openid.net instead of specs at openid.net, as that's
where the thread started, as far as I can see)
More information about the general