-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi everyone
I've found 2 problems with the MyOpenID.com site, I've contacted them to report the problem but I also believe there is a problem with how OpenID itself works. I've been told many times that it isn't a specific problem with OpenID on another list but I'm pretty sure it is. I don't know what the position is on disclosure so I thought I would just describe what is possible on the MyOpenID site and see if the problem has been encountered before. 1. First of all if you sign into a OpenID server in this case (MyOpenID.com) then logon to an OpenID enabled site like (http://ficlets.com/) then sign out of the OpenID enabled site. It is possible to log them back onto the site from any remote web site. 2. The second problem is more serious you can create a specially crafted web page to automatically log on to a web site and also add that web site to the allow forever trusted site. The only requirement is that you have to be logged onto the OpenID server. Both cases can be prevented if the OpenID specification requires authorisation regardless of a cached token. Cheers Gareth -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkYBNAoACgkQrR8fg3y/m1BUeAQAlXk1/BfVU5InHjrrQ6uRP/EpPnMF XcQiIgRnPW+QVwlMkyXIFtjx112xT4BlaNrueKed2YUipfNdL9x+XEYGvRj+1qQTESAH vfV891koLJyiGPUC/keiTsDnGxJt6CesrFVzXXyVQXLRPk8AgeAUaBy1UvbP0zMxNkrP dW0wgjo= =68JR -----END PGP SIGNATURE----- -- Click for FHA loan, $0 lender fees, low rates & approvals nationwide http://tagline.hushmail.com/fc/CAaCXv1KYDvIFdAGCheS3qVfPXuAy8Jc/ _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
