[security] MyOpenID

gaz_sec at hushmail.com gaz_sec at hushmail.com
Wed Mar 21 06:33:34 PDT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi everyone

I've found 2 problems with the MyOpenID.com site, I've contacted
them to report the problem but I also believe there is a problem
with how OpenID itself works. I've been told many times that it
isn't a specific problem with OpenID on another list but I'm pretty
sure it is.

I don't know what the position is on disclosure so I thought I
would just describe what is possible on the MyOpenID site and see
if the problem has been encountered before.

1. First of all if you sign into a OpenID server in this case
(MyOpenID.com) then logon to an OpenID enabled site like
(http://ficlets.com/) then sign out of the OpenID enabled site. It
is possible to log them back onto the site from any remote web site.

2. The second problem is more serious you can create a specially
crafted web page to automatically log on to a web site and also add
that web site to the allow forever trusted site. The only
requirement is that you have to be logged onto the OpenID server.

Both cases can be prevented if the OpenID specification requires
authorisation regardless of a cached token.

Cheers

Gareth
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wpwEAQECAAYFAkYBNAoACgkQrR8fg3y/m1BUeAQAlXk1/BfVU5InHjrrQ6uRP/EpPnMF
XcQiIgRnPW+QVwlMkyXIFtjx112xT4BlaNrueKed2YUipfNdL9x+XEYGvRj+1qQTESAH
vfV891koLJyiGPUC/keiTsDnGxJt6CesrFVzXXyVQXLRPk8AgeAUaBy1UvbP0zMxNkrP
dW0wgjo=
=68JR
-----END PGP SIGNATURE-----

--
Click for  FHA loan, $0 lender fees, low rates & approvals nationwide
http://tagline.hushmail.com/fc/CAaCXv1KYDvIFdAGCheS3qVfPXuAy8Jc/




More information about the security mailing list