[security] Open Redirector issue with checkid_immediate
Allen Tom
atom at yahoo-inc.com
Tue Jun 9 04:53:00 UTC 2009
John Bradley wrote:
>
> There is also nothing to stop the OP from checking the referrer, if
> the referring site is different from the return_to that is suspicious.
>
The primary attack vector for phishing tends to be IM, so there would be
no referrer.
>
> If his is used on a web site it seems like a lot of trouble to go to.
> They are all ready on a bad site.
Another attack vector could be a message board, which isn't necessarily
a malicious message board controlled by the attacker. The scenario is
that the attacker posts a link on the message board saying "check out my
photos, click here to continue" and the victim examines the link and
trusts the OP's domain. The OP then redirects to the attacker's site.
As I said earlier, this scenario isnt' really that much different than
TinyURLs.
>
> I will throw in signed requests again because I have been asked why
> openID doesn't support that by some large potential RPs.
>
Requiring the RP to sign the request using a shared secret would be more
consistent with other auth protocols, however it would probably require
the RP to pre-register with each OP. This breaks a lot of the
autoconfiguration/autodiscovery features of OpenID.
Thanks
Allen
More information about the security
mailing list