[security] OpenID identity leaks

Bart van Delft bartvandelft at yahoo.com
Sat Dec 21 10:07:49 UTC 2013 

Hi Andris,

What you suggest sounds a bit like realm spoofing? In that case it is a 
known vulnerability of OpenID:
http://wiki.openid.net/w/page/12995216/OpenID_Phishing_Brainstorm

Best regards,

Bart van Delft

On 2013-12-21 10:12, Andris Atteka wrote:
> Hi Everyone,
>
> Google's Security Team suggested to ask this question here.
>
> Attacker can perform the following steps:
> 1) Find an open redirect in some major website that leads to 
> attacker's website (and append fragment identifier to this URL)
> 2) Craft a URL and set redirect_url to the open redirect
> 3) Trick the victim into visiting the URL
> As the URL belongs to a major website, most likely victim will accept 
> the RP and his identity will be leaked to attacker's site.
>
> Here's an example (Google itself has some nice open redirects):
> https://www.google.com/accounts/o8/ud?openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.ext0.mode=fetch_request&openid.ext0.required=email&openid.ext0.type.email=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ns.ext0=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ns.ui=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fui%2F1.0&openid.realm=https%3A%2F%2Fwww.google.com%2F&openid.return_to=https%3A%2F%2Fwww.google.com%2Fsearch%3FbtnI%26q%3Dallinurl%253A%252F%252Flva.lv%23aaa&openid.ui.icon=true&openid.ui.lang=en-US&openid.ui.mode=popup&third_party_login=false
>
> This can even be extended so that user doesn't have to accept RP. For 
> this attacker would have to find an open redirect that shares domain 
> with some valid OpenID consumer (some major sites actually do this). 
> In this case user wouldn't even notice the identity leak.
>
> Is this only a bug in Google's OpenID implementation or a bug in the 
> OpenID spec itself?
>
> I do see the OpenID spec talking about normalization of identifiers 
> (including removal of fragment and fragment identifier). Does the same 
> apply to redirect_url? If not, would it be reasonable to include this 
> in the spec?
>
> Regards,
> Andris Atteka
> andrisatteka.blogspot.com <http://andrisatteka.blogspot.com>
>
>
>
>
>
>
> _______________________________________________
> security mailing list
> security at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-security

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20131221/d54113ac/attachment.html>

More information about the security mailing list