[security] OpenID identity leaks
Andris Atteka
andris.atteka at gmail.com
Sat Dec 21 10:35:26 UTC 2013
Hi Bart,
Thanks for your response, however this case is a bit different from what
you are describing.
If you try the link I sent out, you'll notice that identity is leaked
before any user action.
Regards,
Andris
On Sat, Dec 21, 2013 at 12:07 PM, Bart van Delft <bartvandelft at yahoo.com>wrote:
> Hi Andris,
>
> What you suggest sounds a bit like realm spoofing? In that case it is a
> known vulnerability of OpenID:
> http://wiki.openid.net/w/page/12995216/OpenID_Phishing_Brainstorm
>
> Best regards,
>
> Bart van Delft
>
>
> On 2013-12-21 10:12, Andris Atteka wrote:
>
> Hi Everyone,
>
> Google's Security Team suggested to ask this question here.
>
> Attacker can perform the following steps:
> 1) Find an open redirect in some major website that leads to attacker's
> website (and append fragment identifier to this URL)
> 2) Craft a URL and set redirect_url to the open redirect
> 3) Trick the victim into visiting the URL
> As the URL belongs to a major website, most likely victim will accept the
> RP and his identity will be leaked to attacker's site.
>
> Here's an example (Google itself has some nice open redirects):
> https://www.google.com/accounts/o8/ud?openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.ext0.mode=fetch_request&openid.ex
> t0.requ
> ired=email&openid.ext0.type.email=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ns.ext0=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ns.ui=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fui%2F1.0&openid.realm=https%3A%2F%2Fwww.google.com%2F&openid.return_to=https%3A%2F%2Fwww.google.com%2Fsearch%3FbtnI%26q%3Dallinurl%253A%252F%252Flva.lv%23aaa&openid.ui.icon=true&openid.ui.lang=en-US&openid.ui.mode=popup&third_party_login=false<https://www.google.com/accounts/o8/ud?openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.ext0.mode=fetch_request&openid.ext0.required=email&openid.ext0.type.email=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ns.ext0=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ns.ui=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fui%2F1.0&openid.realm=https%3A%2F%2Fwww.google.com%2F&openid.return_to=https%3A%2F%2Fwww.google.com%2Fsearch%3FbtnI%26q%3Dallinurl%253A%252F%252Flva.lv%23aaa&openid.ui.icon=true&openid.ui.lang=en-US&openid.ui.mode=popup&third_party_login=false>
>
> This can even be extended so that user doesn't have to accept RP. For
> this attacker would have to find an open redirect that shares domain with
> some valid OpenID consumer (some major sites actually do this). In this
> case user wouldn't even notice the identity leak.
>
> Is this only a bug in Google's OpenID implementation or a bug in the
> OpenID spec itself?
>
> I do see the OpenID spec talking about normalization of identifiers
> (including removal of fragment and fragment identifier). Does the same
> apply to redirect_url? If not, would it be reasonable to include this in
> the spec?
>
> Regards,
> Andris Atteka
> andrisatteka.blogspot.com
>
>
>
>
>
>
> _______________________________________________
> security mailing listsecurity at lists.openid.nethttp://lists.openid.net/mailman/listinfo/openid-security
>
>
>
> _______________________________________________
> security mailing list
> security at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-security
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20131221/9ec690af/attachment-0001.html>
More information about the security
mailing list