[security] MyOpenID
Scott Kveton
scott at janrain.com
Wed Mar 21 13:25:24 PDT 2007
> If it's a protocol issue there are several providers that
> can be hurt, so pls exercise restraint in disclosing before
> other providers apart from MyOpenID have a chance to act!
That's a great point Hans, we'll exercise restraint as well if that's the
case.
> Best would be some timeline to get concerned implementations
> chance to contact you and ask if their provider is vulnerable
> (like I did in a separate email) and then give some time for
> these parties to patch?
Excellent idea. This seems like a great wiki topic "How to report a
security vulnerability".
- Scott
>> -----Original Message-----
>> From: security-bounces at openid.net
>> [mailto:security-bounces at openid.net] On Behalf Of gaz_sec at hushmail.com
>> Sent: Wednesday, March 21, 2007 12:15 PM
>> To: security at openid.net
>> Subject: Re: [security] MyOpenID
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> No in my opinion the provider is following the correct
>> implementation of OpenID so I think it is a problem with
>> OpenID itself. It can be easily solved but provides
>> inconvenience to the user of the OpenID service. I shall
>> email the flaw once the provider has got back to me with a fix.
>>
>> On Wed, 21 Mar 2007 18:55:21 +0000 "Paul C. Bryan"
>> <email at pbryan.net> wrote:
>>> On Wed, 2007-03-21 at 18:51 +0000, gaz_sec at hushmail.com wrote:
>>>
>>>> I do have a working example that works in 1 browser at the
>>> moment but
>>>> I can't send it because it is currently being fixed by MyOpenID.
>>> When
>>>> I find out it has been fixed I shall send the example to the
>>> list.
>>>
>>> Presumably, then, this second case is a bug in a provider
>>> implementation, not the protocol.
>>>
>>> Paul
>> -----BEGIN PGP SIGNATURE-----
>> Note: This signature can be verified at
>> https://www.hushtools.com/verify
>> Version: Hush 2.5
>>
>> wpwEAQECAAYFAkYBg/QACgkQrR8fg3y/m1DD2AP/RK99u+piuJIZSeagnKa52/GOHfQz
>> 8gpMXEbYyqdoEBXaTFZOf70PdlKXvHmTfQHj3r4RPu/kfL7PCne8pxYMUYKMqzZvNr1i
>> kysiLUxvpwqpSfL8+DUPVUaR7UcHNTgiZxUB3ODAEg8Id3Pv3balBKqq6QDd20PObzgx
>> oeObZs4=
>> =dOvu
>> -----END PGP SIGNATURE-----
>>
>> --
>> Click for home mortgage, fast & free, no lender fee, approval
>> today http://tagline.hushmail.com/fc/CAaCXv1QbtYaYul5oRPJFR00oaubsEo0/
>>
>>
>> _______________________________________________
>> security mailing list
>> security at openid.net
>> http://openid.net/mailman/listinfo/security
>>
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security
>
More information about the security
mailing list