[OpenID] Yahoo hijacking?
Allen Tom
atom at yahoo-inc.com
Sat Apr 19 01:40:27 UTC 2008
The HTTP Referrer header, just like all other HTTP headers, can never be
trusted.
Currently, the Yahoo OP does not consider the client's HTTP Referrer
header when servicing OpenID Authentication requests.
Yahoo does try to verify that the return_to matches the realm by
performing Yadis discovery on the realm in the request. If the return_to
does not match the XRDS doc that we found through discovery, we'll
display a really ugly warning that the RP cannot verified.
This realm discovery feature was added to patch a security hole in
OpenID 1.1, and is one of the main reasons why Yahoo does not support
OpenID 1. More details here:
http://openid.net/pipermail/security/2007-February/000241.html
Allen
SitG Admin wrote:
>> And where should we send the user? The openid.return_to value is not
>> necessarily the referrer,
>
> Quick question - what if the user is blocking the referer? Using a
> privacy/anonymizing plugin, etcetera? At that point the
> openid.return_to value is practically *guaranteed* not to match the
> referer. Is the user losing any security by blocking the referer?
>
> -Shade
More information about the general
mailing list