[security] Phishing issues with return_to url and realm
Claus Färber
GMANE at faerber.muc.de
Tue Feb 6 14:10:00 UTC 2007
Allen Tom <atom at yahoo-inc.com> schrieb/wrote:
> http://x.go.com/cgi/x.pl?goto=http://www.jyte.com
> http://www.aol.com/ams/clickThruRedirect.adp?1,2,http://www.jyte.com
> A rogue RP could mask its identity and claim to be go.com or aol.com by
> hiding behind these redirect servers. When serving the Auth Request, an
> OP like myopenid.com will display this message to the user:
> This is EXTREMELY BAD, as users expect to trust their OP, especially if
> they feel extra secure because they configured an anti-phishing image
> (like MyOpenID's Personal Icon) and enabled SafeSignIn.This is
> particularly bad if the OP passes sensitive personal information or
> credentials via an extension in the Auth Response.
It's not as bad as it looks. The association process usually starts with
the user visiting the RP and then being redirected to the OP. So the
user actually _knows_ what RP he is dealing with.
The rouge RP (http://example.com/redirect=http://example.net) can't
steal private data, either. Even if http://example.com had been granted
access to this data for attribute exchange, the rouge RP would have to
know the shared secret set up during the association process.
Claus
More information about the security
mailing list