[security] MyOpenID
Josh Hoyt
josh at janrain.com
Thu Mar 22 17:00:57 UTC 2007
On 3/22/07, Josh Hoyt <josh at janrain.com> wrote:
> On 3/22/07, gaz_sec at hushmail.com <gaz_sec at hushmail.com> wrote:
> > MyOpenID have fixed the problem with their site now so I shall give
> > everyone on this list 1 week from now to contact me (29th March). I
> > have had two people contact me regarding the problem and 1 beta
> > OpenID server was affected and the other wasn't.
>
> I was going to write up the issue on the JanRain blog. Would anyone
> prefer that I wait to post my write up?
Note that the vulnerability only applies to users of Safari. I tested
it with IE6, IE7, Firefox and Opera 9 and users of those browsers were
not exposed. Also note that the vulnerability is due to what I
consider a flaw in Safari's JavaScript security.
Josh
More information about the security
mailing list