Discovery of an OpenID session at an OP

[John Panzer]

The question is how much of an actual additional phishing risk this
type of information leak is.  The browsers have accidentally conducted
an experiment for us. The result so far appears to indicate that this
information provides little additional benefit to phishers as they
haven't used it for known successful attacks. Additional data most
welcomed.

Btw: The primary use case of Webfinger will provide similar clues.

On Tuesday, December 15, 2009, SitG Admin
<sysadmin at shadowsinthegarden.com> wrote:
>
> Note that all of these except the last are about how to use this for useful purposes or just playing around;
>
>
> Note? I put them in that order deliberately! The questions on this thread were about how widespread this exploit is "in the wild", and, as you can see, there are plenty of reasons for *good-intentioned* developers to practice it.
>
>
> the last one is a theoretical note that says "this may be useful for phishing" but doesn't give a specific attack
>
>
> You can find working implementations in the first set of links. That they double as attack vectors, despite being utilized for a benevolent purpose, wasn't something I saw any need to explain.
>
> -Shade
>

-- 
--
John Panzer / Google
jpanzer at google.com / abstractioneer.org / @jpanzer