[OpenID] Association poisoning
Martin Atkins
mart at degeneration.co.uk
Sun Mar 8 17:20:11 UTC 2009
Andrew Arnott wrote:
> If you write an OpenID relying party library or custom implementation, you
> might want to review a post I just wrote on a potential security hole I've
> never heard anyone else talk about:
>
> http://blog.nerdbank.net/2009/03/openid-association-poisoning.html
So, just to be clear, the flaw here is employing a simple assoc_handle
to assoc secret mapping without considering which OP belongs to the
assoc_handle?
That is a pretty serious problem. Have you found any RP implementations
that *are* vulnerable?
More information about the general
mailing list