[OpenID] Questions about Spoofing OpenId

Carl Howells chowells at janrain.com
Tue Jan 23 19:59:15 UTC 2007

David Fuelling wrote:
>> -----Original Message-----
>> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
>> Behalf Of Carl Howells
>> Subject: Re: [OpenID] Questions about Spoofing OpenId
>> Some care has to be
>> taken to make sure that direct cross-linking won't work, but that's not
>> too difficult.
> What do you mean by "direct cross-linking"?

The particular case I was looking at was when the OP does something 
silly, like putting the uploaded image at a fixed location, like 
http://op.com/uploaded_image, and then adds logic to make that display 
something based on the submitted cookie.

That doesn't actually defend against evil proxying, since the URL is 
fixed and the browser *will* submit the correct cookie to 
http://op.com/uploaded_image, meaning that if the evil proxy just 
includes the <img> tag unaltered, they've defeated the attempted security.

The way to handle this is to have each uploaded image at a different 
(non-guessable) URL, and have the html rendering process check your 
cookies and set the correct URL in the <img> tag.  Then, evil proxying 
will get the default content, rather than user-uploaded content.

(reply to general at openid.net instead of specs at openid.net, as that's 
where the thread started, as far as I can see)

More information about the general mailing list