-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 No problem Scott I want OpenID to work, and I feel the best way of making it work would be to highlight problems. I must say your team have been excellent in responding to my bug.
Thanks Gareth On Wed, 21 Mar 2007 19:25:36 +0000 Scott Kveton <[EMAIL PROTECTED]> wrote: >Just as a quick update, we have the MyOpenID team looking very >closely at >this and they are working with Gareth on it to pinpoint the >exploit/problem. >Right now it appears to be a Safari-only exploit ... No matter >what, we'll >get a fix out as well as publish the details. > >Gareth: you've been great on this so far ... Thanks so much for >showing >reserve in publishing the exact exploit. > >- Scott > > > > >On 3/21/07 12:18 PM, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> >wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> The site checks the session and also uses a unique session >token. >> >> You have to be logged onto the OpenID server in order for this >to >> work. >> >> On Wed, 21 Mar 2007 19:09:13 +0000 [EMAIL PROTECTED] wrote: >>>> 2. The second problem is more serious you can create a >specially >>>> crafted web page to automatically log on to a web site and >also >>> add >>>> that web site to the allow forever trusted site. The only >>>> requirement is that you have to be logged onto the OpenID >>> server. >>> >>> This case I don't understand well. If the provider prevents >replay >>> attacks of trust dialogs with the user (e.g. nonce in form) and >>> requires >>> the request to come from the user agent with a valid session, >how >>> could >>> a remote site establish such permanent trust? >>> >>> >>> >>> >>> >>> >>> >>> I would assume this is a bug in the OP, which is probably >>> accepting a POST without any credentials other >>> than a session cookie. >>> >>> Terry >>> >>> >>> >>> >>> >>> -----Original Message----- >>> From: Paul C. Bryan <[EMAIL PROTECTED]> >>> To: [EMAIL PROTECTED] >>> Cc: [email protected] >>> Sent: Wed, 21 Mar 2007 10:50 am >>> Subject: Re: [security] MyOpenID >>> >>> >>> >>> On Wed, 2007-03-21 at 13:33 +0000, [EMAIL PROTECTED] wrote: >>> >>>> 1. First of all if you sign into a OpenID server in this case >>>> (MyOpenID.com) then logon to an OpenID enabled site like >>>> (http://ficlets.com/) then sign out of the OpenID enabled >site. >>> It >>>> is possible to log them back onto the site from any remote web >>> site. >>> >>> Presumably, this is true only: >>> >>> a) as long as I am still logged into the OpenID provider, >>> b) the remote site knows the OpenID login URL of the client >site. >>> >>> Correct? The risk here is that I would have a session with the >>> client >>> site without explicitly asking for it? >>> >>>> 2. The second problem is more serious you can create a >specially >>>> crafted web page to automatically log on to a web site and >also >>> add >>>> that web site to the allow forever trusted site. The only >>>> requirement is that you have to be logged onto the OpenID >>> server. >>> >>> This case I don't understand well. If the provider prevents >replay >>> attacks of trust dialogs with the user (e.g. nonce in form) and >>> requires >>> the request to come from the user agent with a valid session, >how >>> could >>> a remote site establish such permanent trust? >>> >>>> Both cases can be prevented if the OpenID specification >requires >>>> authorisation regardless of a cached token. >>> >>> I think the second case already requires authorization by the >>> user. >>> Properly developed providers should ask for the user to grant >>> trust to >>> the consumer site, and not be susceptible to crafted requests >to >>> bypass >>> user dialog. >>> >>> Paul >>> >>> _______________________________________________ >>> security mailing list >>> [email protected] http://openid.net/mailman/listinfo/security >>> >>> >>> >___________________________________________________________________ > >>> _____ >>> AOL now offers free email to everyone. Find out more about >what's >>> free from AOL at AOL.com. >> -----BEGIN PGP SIGNATURE----- >> Note: This signature can be verified at >https://www.hushtools.com/verify >> Version: Hush 2.5 >> >> >wpwEAQECAAYFAkYBhO0ACgkQrR8fg3y/m1BGlAQAk9kND4cY7HcJLH+o9/ukFp9hV1v >/ >> >qYuL79n1BNSDDWMYjQpY9qWB3Lvc1KqAAGESUYnvzPeNNGgKKCOIP+oPi4DHBcy+Grw >G >> >Et74N6G4p4UQ6GEbS4747lzbXXJklNgJQgabgzNiO1dFDBMwIwlMpS2KcgFdTtQ+IMT >u >> AU6i9co= >> =J+64 >> -----END PGP SIGNATURE----- >> >> -- >> Click to find great rates on life insurance, save big, shop here >> http://tagline.hushmail.com/fc/CAaCXv1QSYQdlVKDzE49AnrgfbvX7BCN/ >> >> >> _______________________________________________ >> security mailing list >> [email protected] >> http://openid.net/mailman/listinfo/security >> > >_______________________________________________ >security mailing list >[email protected] >http://openid.net/mailman/listinfo/security -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkYBjloACgkQrR8fg3y/m1DyrwP/RgD5chaSFNEdjIX4Dc4FTMx2GJri tupZeq+FTtI9m5V9I6YBvXYutWtx8dvWdbngitDKM1R7UXLdbZ/v2DOhXutlCWlmLyoD rtGsdup/Q2LI1s3in32Qr0O9CacPDug5JLVPIOlNB67InP9kRkXu/2+HSLq4COjHMsHS TwKCfps= =JvNN -----END PGP SIGNATURE----- -- Bad web design can hurt your business! Click to hire a professional http://tagline.hushmail.com/fc/CAaCXv1RYWsyGWeF00gGZ8eOBBz9wi9a/ _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
