[security] XSRF and unsolicited assertions
Andrew Arnott
andrewarnott at gmail.com
Thu Jul 5 13:56:23 UTC 2012
It seems to me that protecting an RP's return_to URL from XSRF requires
effectively breaking the reception of unsolicited assertions. Because in
fact an unsolicited assertion is a message from another site, not asked
for, that logs the user in. The XSRF attack of course would occur when the
user didn't consent to or was aware of such a message being passed. A
victim could be visiting the attacker's web site, which has javascript
prepared to discretely post a valid OpenID assertion the attacker had
previously obtained to the victim's account at some RP. The attacker has
then managed to get future actions the victim takes on that web site to
apply to the attacker's account instead of the victim. It seems like an
information disclosure threat, among possibly others.
Thoughts?
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20120705/ed80e303/attachment.html>
More information about the security
mailing list