Interesting discussion on the MediaWiki list: impersonation
Johannes Ernst
jernst+openid.net at netmesh.us
Tue Nov 14 19:42:15 UTC 2006
http://mail.wikipedia.org/pipermail/wikitech-l/2006-November/039801.html
> Software responds, "The username you chose is very similar to the
> username of an existing user. In order to ensure that you are not
> trying to impersonate someone else, an administrator will have to
> approve your username manually.
This is really interesting because it's a form of attack: user A on a
site trying to trick another user into believing he is user B, not
user A. (Just like a phishing attack, but for users, not sites).
It appears to me that this type of attack would be particularly easy
if the user handle being shown on an OpenID-enabled site was anything
OTHER than the OpenID identifier (such as first/last name).
Johannes Ernst
NetMesh Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openid-relying-party-authenticated.gif
Type: image/gif
Size: 903 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-user-experience/attachments/20061114/4306048b/attachment-0004.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 973 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-user-experience/attachments/20061114/4306048b/attachment-0005.gif>
-------------- next part --------------
http://netmesh.info/jernst
More information about the user-experience
mailing list