Please be advised a number of OpenID Authentication 2.0 server implementations were found to be vulnerable due to non-compliance to the normative requirements of the OpenID Authentication 2.0 specification.
The nature of the vulnerability
In section 220.127.116.11 of the OpenID Authentication 2.0, it is stated that “For verifying signatures an OP MUST only use private associations and MUST NOT use associations that have shared keys.” However, vulnerable implementations were not making distinction between the private associations and shared associations and was performing the signature verification on the shared associations.
Impact of the vulnerability
Any relying party (RP) that has established a shared association with a vulnerable OP can impersonate a victim at any relying party by crafting a signature using its shared association. This is because the RP that has received the crafted response would not find the association handle in its list of shared associations and thus consider it as being signed by the OP’s private association and send it to the OP for the verification. If the OP was implemented according to the specification, the OP will return false since it is using the shared association. However, if the OP is not making distinction between two types of association, it would respond the RP that the signature is valid allowing the attacker to login to the RP.
How to find if your OP implementation is vulnerable
The OP implementation that has this bug will not pass the following OSIS I5 test. http://test-id.org/OP/CheckAuthSharedSecret.aspx
We hope this notice was helpful. The attentiveness of the open source community is one of the safe guards maiming the integrity of OpenID Foundations standards.
Executive Director, The OpenID Foundation