[security] Unsolicited assertion security vulnerability?

[Andrew Arnott]

OpenID 2.0 RPs that allow unsolicited assertions (which Just Works by
default for proper OpenID implementations, it seems to me) seem to be
vulnerable to an attack.  Can anyone confirm or deny what I'm imagining
here? It seems a security advisory *may* be appropriate.

The attack:

   1. Victim navigates the browser to the attacker's web site.
   2. The web site hosts a hidden iframe that redirects to a popular RP the
   user is suspected to have an account with, carrying an unsolicited
   assertion to the attacker's identity.
   3. The victim them navigates to the RP that previously received the
   hidden, unsolicited assertion.
   4. The victim, unaware of the authentication, assumes that he/she is
   logged into their own account, and uses the RP under that assumption. They
   may upload files or transmit other data.
   5. The attacker, who controls the account the victim is logged into,
   gains access to that transmitted data.

Mitigations:

   1. Disable unsolicited assertions (perhaps by only accepting assertions
   with a return_to that includes a signed nonce from the RP).
   2. Accepted unsolicited assertions, but only after frame busting code
   has confirmed with the user that they intended to log in as [attacker].

What are your thoughts on this?

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20121026/bb8ee08a/attachment.html>