[security] The dangers of CSS iframe overlays
gaz_sec at hushmail.com
gaz_sec at hushmail.com
Tue Oct 23 20:12:58 UTC 2007
I can confirm Verisign have now fixed this vulnerability. I'm very
pleased with the response times of OpenID providers, keep up the
good work and I'm sure OpenID can become a secure service for
everyone.
Note to other vendors I may change the proof of concept to use your
site if you do not use any frame protection.
On Mon, 15 Oct 2007 10:02:12 +0100 gaz_sec at hushmail.com wrote:
>Hi all
>
>I've create a proof of concept which highlights the problem of
>single sign on providers not providing iframe protection and
>remembering the password.
>
>The demo uses a Verisign account (It was the first provider I
>found
>without iframe protection)
>
><http://www.thespanner.co.uk/2007/09/28/openid-security-css-
>overlays/>
>
>Cheers
>
>Gareth
>
>_______________________________________________
>security mailing list
>security at openid.net
>http://openid.net/mailman/listinfo/security
More information about the security
mailing list