[security] MyOpenID
gaz_sec at hushmail.com
gaz_sec at hushmail.com
Thu Mar 22 17:45:50 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
That is true the browser affected was safari but another OpenID
server was vulnerable to the same sort of attack across multiple
browsers.
On Thu, 22 Mar 2007 17:00:57 +0000 Josh Hoyt <josh at janrain.com>
wrote:
>On 3/22/07, Josh Hoyt <josh at janrain.com> wrote:
>> On 3/22/07, gaz_sec at hushmail.com <gaz_sec at hushmail.com> wrote:
>> > MyOpenID have fixed the problem with their site now so I shall
>give
>> > everyone on this list 1 week from now to contact me (29th
>March). I
>> > have had two people contact me regarding the problem and 1
>beta
>> > OpenID server was affected and the other wasn't.
>>
>> I was going to write up the issue on the JanRain blog. Would
>anyone
>> prefer that I wait to post my write up?
>
>Note that the vulnerability only applies to users of Safari. I
>tested
>it with IE6, IE7, Firefox and Opera 9 and users of those browsers
>were
>not exposed. Also note that the vulnerability is due to what I
>consider a flaw in Safari's JavaScript security.
>
>Josh
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5
wpwEAQECAAYFAkYCwKYACgkQrR8fg3y/m1BBhQP+ID0Z2qRfRvEDbuQ/anTH3Cz0nENE
XM+HWn+/gf+dkKX9nqL6uhkPW+6doWbdN4eTEKEuX600kkFxN8cgoumr5FcVfBAM/GvZ
QoKkE+79Cc75kSmKsmTDs3AWjLnQn+cMo8eZbf9BiCZtRuzQSlmIs1JtP7WuC7KneQAY
MiEIMUg=
=L8cO
-----END PGP SIGNATURE-----
--
Click to lower your debt and consolidate your monthly expenses
http://tagline.hushmail.com/fc/CAaCXv1QPxbBLttJpi0620CaUa7fNdNI/
More information about the security
mailing list