On Mar 21, 2007, at 9:33 AM, <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi everyone > > I've found 2 problems with the MyOpenID.com site, I've contacted > them to report the problem but I also believe there is a problem > with how OpenID itself works. I've been told many times that it > isn't a specific problem with OpenID on another list but I'm pretty > sure it is. > > I don't know what the position is on disclosure so I thought I > would just describe what is possible on the MyOpenID site and see > if the problem has been encountered before. > > 1. First of all if you sign into a OpenID server in this case > (MyOpenID.com) then logon to an OpenID enabled site like > (http://ficlets.com/) then sign out of the OpenID enabled site. It > is possible to log them back onto the site from any remote web site. Which is the last 'the site' you're referring to, the Relying Party (e.g. ficlets)? Take a look at the Single Sign Out topics that have been discussed on the OpenID lists. Do you have a step by step walkthrough example? > > 2. The second problem is more serious you can create a specially > crafted web page to automatically log on to a web site and also add > that web site to the allow forever trusted site. The only > requirement is that you have to be logged onto the OpenID server. How would you do this? Do you have an example? > > Both cases can be prevented if the OpenID specification requires > authorisation regardless of a cached token. That would defeat the purpose of some of the key benefits. I'd like to know more about which specific issues you're referring to. Thanks, Matt > > Cheers > > Gareth > -----BEGIN PGP SIGNATURE----- > Note: This signature can be verified at https://www.hushtools.com/ > verify > Version: Hush 2.5 > > wpwEAQECAAYFAkYBNAoACgkQrR8fg3y/m1BUeAQAlXk1/BfVU5InHjrrQ6uRP/EpPnMF > XcQiIgRnPW+QVwlMkyXIFtjx112xT4BlaNrueKed2YUipfNdL9x+XEYGvRj+1qQTESAH > vfV891koLJyiGPUC/keiTsDnGxJt6CesrFVzXXyVQXLRPk8AgeAUaBy1UvbP0zMxNkrP > dW0wgjo= > =68JR > -----END PGP SIGNATURE----- > > -- > Click for FHA loan, $0 lender fees, low rates & approvals nationwide > http://tagline.hushmail.com/fc/CAaCXv1KYDvIFdAGCheS3qVfPXuAy8Jc/ > > > _______________________________________________ > security mailing list > [email protected] > http://openid.net/mailman/listinfo/security ------------------ Matt Pelletier http://www.eastmedia.com -- EastMedia http://www.informit.com/title/0321483502 -- The Mongrel Book http://identity.eastmedia.com -- OpenID, Identity 2.0 _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
