[security] User Impersonation
Martin Atkins
mart at degeneration.co.uk
Mon Mar 5 18:29:42 UTC 2007
Paul C. Bryan wrote:
>
> 3. I the attacker, setup my attacking OpenID page
> (http://attacker.org/attackjohn.html) with the following link
> relationships:
>
> openid.server = http://rogeidp.org/openid
> openid.delegate = http://secureid.org/jsmith
>
> 4. I go to John's favorite Wiki site, where he has authored a lot of
> content and developed a reputation using his OpenID identity. I can
> authenticate with the site just as he does, and impersonate him in all
> of my further deeds.
>
> </scenario>
>
> So, am I missing something?
>
Yes, you are. :)
In the above situation, despite the "delegate" reference a site is
required to use the "claimed identifier"
http://attacker.org/attackjohn.html rather than the delegate identifier
http://secureid.org/jsmith, so even if http://rogeidp.org/openid
provides a positive assertion for http://secureid.org/jsmith the end
site will identify you as http://attacker.org/attackjohn.html. You have
gained nothing.
More information about the security
mailing list