[security] MyOpenID
gaz_sec at hushmail.com
gaz_sec at hushmail.com
Wed Mar 21 19:58:55 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
No problem Scott I want OpenID to work, and I feel the best way of
making it work would be to highlight problems. I must say your team
have been excellent in responding to my bug.
Thanks
Gareth
On Wed, 21 Mar 2007 19:25:36 +0000 Scott Kveton <scott at janrain.com>
wrote:
>Just as a quick update, we have the MyOpenID team looking very
>closely at
>this and they are working with Gareth on it to pinpoint the
>exploit/problem.
>Right now it appears to be a Safari-only exploit ... No matter
>what, we'll
>get a fix out as well as publish the details.
>
>Gareth: you've been great on this so far ... Thanks so much for
>showing
>reserve in publishing the exact exploit.
>
>- Scott
>
>
>
>
>On 3/21/07 12:18 PM, "gaz_sec at hushmail.com" <gaz_sec at hushmail.com>
>wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> The site checks the session and also uses a unique session
>token.
>>
>> You have to be logged onto the OpenID server in order for this
>to
>> work.
>>
>> On Wed, 21 Mar 2007 19:09:13 +0000 thayes0993 at aol.com wrote:
>>>> 2. The second problem is more serious you can create a
>specially
>>>> crafted web page to automatically log on to a web site and
>also
>>> add
>>>> that web site to the allow forever trusted site. The only
>>>> requirement is that you have to be logged onto the OpenID
>>> server.
>>>
>>> This case I don't understand well. If the provider prevents
>replay
>>> attacks of trust dialogs with the user (e.g. nonce in form) and
>>> requires
>>> the request to come from the user agent with a valid session,
>how
>>> could
>>> a remote site establish such permanent trust?
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> I would assume this is a bug in the OP, which is probably
>>> accepting a POST without any credentials other
>>> than a session cookie.
>>>
>>> Terry
>>>
>>>
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: Paul C. Bryan <email at pbryan.net>
>>> To: gaz_sec at hushmail.com
>>> Cc: security at openid.net
>>> Sent: Wed, 21 Mar 2007 10:50 am
>>> Subject: Re: [security] MyOpenID
>>>
>>>
>>>
>>> On Wed, 2007-03-21 at 13:33 +0000, gaz_sec at hushmail.com wrote:
>>>
>>>> 1. First of all if you sign into a OpenID server in this case
>>>> (MyOpenID.com) then logon to an OpenID enabled site like
>>>> (http://ficlets.com/) then sign out of the OpenID enabled
>site.
>>> It
>>>> is possible to log them back onto the site from any remote web
>>> site.
>>>
>>> Presumably, this is true only:
>>>
>>> a) as long as I am still logged into the OpenID provider,
>>> b) the remote site knows the OpenID login URL of the client
>site.
>>>
>>> Correct? The risk here is that I would have a session with the
>>> client
>>> site without explicitly asking for it?
>>>
>>>> 2. The second problem is more serious you can create a
>specially
>>>> crafted web page to automatically log on to a web site and
>also
>>> add
>>>> that web site to the allow forever trusted site. The only
>>>> requirement is that you have to be logged onto the OpenID
>>> server.
>>>
>>> This case I don't understand well. If the provider prevents
>replay
>>> attacks of trust dialogs with the user (e.g. nonce in form) and
>>> requires
>>> the request to come from the user agent with a valid session,
>how
>>> could
>>> a remote site establish such permanent trust?
>>>
>>>> Both cases can be prevented if the OpenID specification
>requires
>>>> authorisation regardless of a cached token.
>>>
>>> I think the second case already requires authorization by the
>>> user.
>>> Properly developed providers should ask for the user to grant
>>> trust to
>>> the consumer site, and not be susceptible to crafted requests
>to
>>> bypass
>>> user dialog.
>>>
>>> Paul
>>>
>>> _______________________________________________
>>> security mailing list
>>> security at openid.net http://openid.net/mailman/listinfo/security
>>>
>>>
>>>
>___________________________________________________________________
>
>>> _____
>>> AOL now offers free email to everyone. Find out more about
>what's
>>> free from AOL at AOL.com.
>> -----BEGIN PGP SIGNATURE-----
>> Note: This signature can be verified at
>https://www.hushtools.com/verify
>> Version: Hush 2.5
>>
>>
>wpwEAQECAAYFAkYBhO0ACgkQrR8fg3y/m1BGlAQAk9kND4cY7HcJLH+o9/ukFp9hV1v
>/
>>
>qYuL79n1BNSDDWMYjQpY9qWB3Lvc1KqAAGESUYnvzPeNNGgKKCOIP+oPi4DHBcy+Grw
>G
>>
>Et74N6G4p4UQ6GEbS4747lzbXXJklNgJQgabgzNiO1dFDBMwIwlMpS2KcgFdTtQ+IMT
>u
>> AU6i9co=
>> =J+64
>> -----END PGP SIGNATURE-----
>>
>> --
>> Click to find great rates on life insurance, save big, shop here
>> http://tagline.hushmail.com/fc/CAaCXv1QSYQdlVKDzE49AnrgfbvX7BCN/
>>
>>
>> _______________________________________________
>> security mailing list
>> security at openid.net
>> http://openid.net/mailman/listinfo/security
>>
>
>_______________________________________________
>security mailing list
>security at openid.net
>http://openid.net/mailman/listinfo/security
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5
wpwEAQECAAYFAkYBjloACgkQrR8fg3y/m1DyrwP/RgD5chaSFNEdjIX4Dc4FTMx2GJri
tupZeq+FTtI9m5V9I6YBvXYutWtx8dvWdbngitDKM1R7UXLdbZ/v2DOhXutlCWlmLyoD
rtGsdup/Q2LI1s3in32Qr0O9CacPDug5JLVPIOlNB67InP9kRkXu/2+HSLq4COjHMsHS
TwKCfps=
=JvNN
-----END PGP SIGNATURE-----
--
Bad web design can hurt your business! Click to hire a professional
http://tagline.hushmail.com/fc/CAaCXv1RYWsyGWeF00gGZ8eOBBz9wi9a/
More information about the security
mailing list