<div dir="ltr"><span style="font-family:arial,sans-serif;font-size:13px">Hi Bart,</span><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">Thanks for your response, however this case is a bit different from what you are describing.</div>
<div style="font-family:arial,sans-serif;font-size:13px">If you try the link I sent out, you'll notice that identity is leaked before any user action.</div><div style="font-family:arial,sans-serif;font-size:13px"><br>
</div><div style="font-family:arial,sans-serif;font-size:13px">Regards,</div><div style="font-family:arial,sans-serif;font-size:13px">Andris</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sat, Dec 21, 2013 at 12:07 PM, Bart van Delft <span dir="ltr"><<a href="mailto:bartvandelft@yahoo.com" target="_blank">bartvandelft@yahoo.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>Hi Andris,<br>
<br>
What you suggest sounds a bit like realm spoofing? In that case it
is a known vulnerability of OpenID:<br>
<a href="http://wiki.openid.net/w/page/12995216/OpenID_Phishing_Brainstorm" target="_blank">http://wiki.openid.net/w/page/12995216/OpenID_Phishing_Brainstorm</a><br>
<br>
Best regards,<br>
<br>
Bart van Delft<div><div class="h5"><br>
<br>
On 2013-12-21 10:12, Andris Atteka wrote:<br>
</div></div></div>
<blockquote type="cite"><div><div class="h5">
<div dir="ltr">
<div>Hi Everyone,</div>
<div><br>
</div>
<div>Google's Security Team suggested to ask this question here.</div>
<div><br>
</div>
<div>Attacker can perform the following steps:</div>
<div>1) Find an open redirect in some major website that leads
to attacker's website (and append fragment identifier to this
URL)</div>
<div>2) Craft a URL and set redirect_url to the open redirect</div>
<div>3) Trick the victim into visiting the URL</div>
<div>As the URL belongs to a major website, most likely victim
will accept the RP and his identity will be leaked to
attacker's site.</div>
<div><br>
</div>
<div>Here's an example (Google itself has some nice open
redirects):</div>
<div><a href="https://www.google.com/accounts/o8/ud?openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.ext0.mode=fetch_request&openid.ext0.required=email&openid.ext0.type.email=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ns.ext0=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ns.ui=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fui%2F1.0&openid.realm=https%3A%2F%2Fwww.google.com%2F&openid.return_to=https%3A%2F%2Fwww.google.com%2Fsearch%3FbtnI%26q%3Dallinurl%253A%252F%252Flva.lv%23aaa&openid.ui.icon=true&openid.ui.lang=en-US&openid.ui.mode=popup&third_party_login=false" target="_blank">https://www.google.com/accounts/o8/ud?openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.ext0.mode=fetch_request&openid.ex
t0.requ
ired=email&openid.ext0.type.email=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ns.ext0=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ns.ui=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fui%2F1.0&openid.realm=https%3A%2F%2Fwww.google.com%2F&openid.return_to=https%3A%2F%2Fwww.google.com%2Fsearch%3FbtnI%26q%3Dallinurl%253A%252F%252Flva.lv%23aaa&openid.ui.icon=true&openid.ui.lang=en-US&openid.ui.mode=popup&third_party_login=false</a></div>
<div><br>
</div>
<div>This can even be extended so that user doesn't have to
accept RP. For this attacker would have to find an open
redirect that shares domain with some valid OpenID consumer
(some major sites actually do this). In this case user
wouldn't even notice the identity leak.</div>
<div><br>
</div>
<div>Is this only a bug in Google's OpenID implementation or a
bug in the OpenID spec itself?</div>
<div><br>
</div>
<div>I do see the OpenID spec talking about normalization of
identifiers (including removal of fragment and fragment
identifier). Does the same apply to redirect_url? If not,
would it be reasonable to include this in the spec?</div>
<div><br>
</div>
<div>Regards,</div>
<div>Andris Atteka</div>
<div><a href="http://andrisatteka.blogspot.com" target="_blank">andrisatteka.blogspot.com</a></div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div></div><pre>_______________________________________________
security mailing list
<a href="mailto:security@lists.openid.net" target="_blank">security@lists.openid.net</a>
<a href="http://lists.openid.net/mailman/listinfo/openid-security" target="_blank">http://lists.openid.net/mailman/listinfo/openid-security</a>
</pre>
</blockquote>
<br>
</div>
<br>_______________________________________________<br>
security mailing list<br>
<a href="mailto:security@lists.openid.net">security@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-security" target="_blank">http://lists.openid.net/mailman/listinfo/openid-security</a><br>
<br></blockquote></div><br></div>