Interesting discussion on the MediaWiki list: impersonation

Johannes Ernst jernst+openid.net at netmesh.us
Tue Nov 14 19:42:15 UTC 2006


http://mail.wikipedia.org/pipermail/wikitech-l/2006-November/039801.html

> Software responds, "The username you chose is very similar to the
>    username of an existing user. In order to ensure that you are not
>    trying to impersonate someone else, an administrator will have to
>    approve your username manually.

This is really interesting because it's a form of attack: user A on a  
site trying to trick another user into believing he is user B, not  
user A. (Just like a phishing attack, but for users, not sites).

It appears to me that this type of attack would be particularly easy  
if the user handle being shown on an OpenID-enabled site was anything  
OTHER than the OpenID identifier (such as first/last name).



Johannes Ernst
NetMesh Inc.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: openid-relying-party-authenticated.gif
Type: image/gif
Size: 903 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-user-experience/attachments/20061114/4306048b/attachment-0004.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 973 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-user-experience/attachments/20061114/4306048b/attachment-0005.gif>
-------------- next part --------------
  http://netmesh.info/jernst



More information about the user-experience mailing list