A group of security researchers identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX). See below for information on the suggested fix.
The researchers determined that some sites were not confirming that the information passed through AX was signed. That allows an attacker to modify the information. If the site is only using AX to receive low-security information like a users self-asserted gender, then this will probably not be a problem. However if it is being used to receive information that it only trusts the identity provider to assert, then it creates the potential for an attack.
The researchers contacted the main websites impacted, and those sites have deployed a fix. OpenID Foundation board members have worked to identify other websites that were impacted and similarly have them deploy a fix. There are no known examples of attacks using this technique.
The OpenID Foundation would like to thank security researchers Rui Wang, Shuo Chen and XiaoFeng Wang for reporting their findings.
Suggested Fix:
For apps that are vulnerable, we recommend modifying application code to accept only signed attribute values as an initial step.
We confirmed apps using OpenID4Java are prone to accepting unsigned attributes. Please update to the latest version of this library (0.9.6 final) if you’re using it or any dependent libraries (such as Step2). Kay Framework was also vulnerable, but has since been patched in version 1.0.2. Other libraries may have the same issue though the default usage of services/libraries from Janrain, Ping Identity and DotNetOpenAuth are not susceptible to this attack.
Tags: ax
Pingback: OpenID Warns of Serious Bug in Some Implementations - AISLE.NETwork : Information Security News…
Pingback: OpenID Attribute Exchange flaw | It's Just Me | Internet Troublemaker
Pingback: » * Błąd w OpenID -- Niebezpiecznik.pl --
Pingback: Identitätsklau mit OpenID – Heise Online « M.IT Computer Blog
Pingback: Blog SegInfo – Segurança da Informação – Tecnologia – Notícias, Artigos e Novidades » Blog Archive » Falha no “Attribute Exchange” do OpenID
Pingback: Identity theft with OpenID
Pingback: La Fundación OpenID advierte de un error de autenticación | eWEEK Europe España
Pingback: OpenID Foundation Warns Websites of Authentication Flaw | john_kaufman
Pingback: Open ID en riesgo | Derecho informático
Pingback: Fallo de seguridad en OpenID
Pingback: CVE Request: openid4java not properly verifying the signature of Attribute Exchange (AX) information | Net Cleaner
Pingback: SA-CORE-2012-001 – Drupal core multiple vulnerabilities | Net Cleaner
Pingback: Vulnerability report: Data confusion | OpenID
Pingback: OpenID.net: Vulnerability report: Data confusion « oracle fusion identity