[OpenID] Yahoo hijacking?
SitG Admin
sysadmin at shadowsinthegarden.com
Fri Apr 18 23:38:46 UTC 2008
>if I go to Yahoo for an OpenID login, and then change my mind and
>say "I do not want to login", they take me to
><http://www.yahoo.com>www.yahoo.com!!!
Side question - if they used CSRF to have you request (via GET) the
appropriate page from the Relying Party, would that be acceptable? Is
it sufficient to have the user notify the RP that nothing further
will be happening, or should the user visit the site normally to
continue further interactions, and at least have the chance to
receive further info directly from the site?
I can see malicious RP's saying "You changed your mind? Well then
here's a page full of nasty ActiveX that will try to infect your
machine, have a nice day.", but I can also see a friendly site saying
"Your comment has been preserved, would you like to post it as
'Anonymous'?" or showing the user a list of features that they can
access if they log in.
-Shade
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080418/22ff6349/attachment-0002.htm>
More information about the general
mailing list