Vulnerability report: Data confusion 5


In May of last year a group of security researchers identified a flaw in some OpenID implementations.  They have recently identified a related flaw in some OpenID implementations.  See data-confusion-bugreport (1) for their report.

The researchers contacted the main websites impacted, and those sites have deployed a fix. OpenID Foundation board members have worked to identify other websites that were impacted and similarly have them deploy a fix. There are no known examples of attacks using this technique.  If your website does not use an OpenID RP implementation from one of the OpenID Foundation vendors, we suggest reading the report.

The OpenID Foundation would like to thank security researchers Rui Wang, Shuo Chen and XiaoFeng Wang for reporting their findings.  You can also read their related report.