[security] MyOpenID

[gaz_sec at hushmail.com]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have also reported the bug to Apple so any providers which do not
fix this problem should be safe once Apple release a bug fix.

On Thu, 22 Mar 2007 17:45:50 +0000 gaz_sec at hushmail.com wrote:
>That is true the browser affected was safari but another OpenID
>server was vulnerable to the same sort of attack across multiple
>browsers.
>
>On Thu, 22 Mar 2007 17:00:57 +0000 Josh Hoyt <josh at janrain.com>
>wrote:
>>On 3/22/07, Josh Hoyt <josh at janrain.com> wrote:
>>> On 3/22/07, gaz_sec at hushmail.com <gaz_sec at hushmail.com> wrote:
>>> > MyOpenID have fixed the problem with their site now so I shall
>>give
>>> > everyone on this list 1 week from now to contact me (29th
>>March). I
>>> > have had two people contact me regarding the problem and 1
>>beta
>>> > OpenID server was affected and the other wasn't.
>>>
>>> I was going to write up the issue on the JanRain blog. Would
>>anyone
>>> prefer that I wait to post my write up?
>>
>>Note that the vulnerability only applies to users of Safari. I
>>tested
>>it with IE6, IE7, Firefox and Opera 9 and users of those browsers
>>were
>>not exposed. Also note that the vulnerability is due to what I
>>consider a flaw in Safari's JavaScript security.
>>
>>Josh
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wpwEAQECAAYFAkYDo2IACgkQrR8fg3y/m1BI3gP/Z/I+4KDAeh4A26jnIZfmqIxrvJgx
EokOSE9CvYqbpdprxJPZi4U/ZH0NfUfWGAhItarFN0rQ2RoXlclTuQZeJQBPVw8Aojcm
f8Gvo4bXWE/mX/LTHrZ1+5pR9WfNGnmlL/4M2y20HI+cInfbLAvRKOwRywxr9m1zMqvP
jIvmrJ8=
=G3J2
-----END PGP SIGNATURE-----

--
Click to get 125% of your home's value, super fast, no lender fees
http://tagline.hushmail.com/fc/CAaCXv1QaK2AVITKMKgp9A9LYZGGJs2i/