[Openid-specs-ab] Attacking OpenID Connect 1.0 - Malicious Endpoints Attack

Mike Jones Michael.Jones at microsoft.com
Mon Oct 12 23:28:35 UTC 2015

This is the subject of open issue #979 https://bitbucket.org/openid/connect/issues/979/discovery-security-considerations-csrf.

				-- Mike

-----Original Message-----
From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of John Bradley
Sent: Monday, October 12, 2015 4:07 PM
To: Michael Schwartz
Cc: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] Attacking OpenID Connect 1.0 - Malicious Endpoints Attack

Thanks Mike,

We are looking at it.

It is perhaps overstatement that it compromises Connect Authentication.   It is more of an attack on the Authorization flow.   The attacker winds up with read access to the user_info endpoint for the user but not access to the RP/Client.

Propper XSRF protection at the client can mitigate the attacker pushing a fake userID to the client, as a first step.

However we will probably recommend a change to the registration response to prevent the underlying cause of the attack.

John  B.

> On Oct 12, 2015, at 7:35 PM, Mike Schwartz <mike at gluu.org> wrote:
> Attacking OpenID Connect 1.0 - Malicious Endpoints Attack
> https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fweb-in-security.blogspot.com%2f2015%2f10%2fattacking-openid-connect-10-malicious.html&data=01%7c01%7cMichael.Jones%40microsoft.com%7cc234e2cb56044e1e049908d2d359f17d%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=A8NccdS%2b%2b0Xd7w548aF9yjsf7eFJJWawLko4S6rA9Ww%3d
> In this post we show a novel attack on OpenID Connect 1.0, which compromises the security of the entire protocol - the Malicious Endpoints attack. The idea behind the attack is to influence the information flow in the Discovery and Dynamic Registration Phase in such a way that the attacker gains access to sensitive information...
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2flists.openid.net%2fmailman%2flistinfo%2fopenid-specs-ab&data=01%7c01%7cMichael.Jones%40microsoft.com%7cc234e2cb56044e1e049908d2d359f17d%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=GYi5qbQtSbEcxxf7MozA%2fGePj86DszjLqxpJGx2o3g0%3d

More information about the Openid-specs-ab mailing list