So, if I understand this correctly, it's not a problem with the protocol, but with the identity provider being a bit too loose with it's authorizations?
On 3/21/07, Josh Hoyt <[EMAIL PROTECTED]> wrote: > On 3/21/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > I don't know what the position is on disclosure so I thought I > > would just describe what is possible on the MyOpenID site and see > > if the problem has been encountered before. > > Just for the record, we (JanRain) prefer to get contacted before a > potential vulnerability has been publicly discussed. > > We're happy to work with anyone who has found a vulnerability in the > OpenID protocols, the JanRain OpenID libraries, or any of our > OpenID-using products. > > Josh > _______________________________________________ > security mailing list > [email protected] > http://openid.net/mailman/listinfo/security > _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
