Identity theft with OpenID

Faulty implementations of OpenID Extension Attribute Exchange (AX) allow attackers against a foreign websites impersonate, warns the OpenID Foundation. Security researchers have discovered that some of OpenID participating websites did not verify whether the reported data is signed. Due to the lack of verification data, an attacker can freely manipulate. One specific attack scenario, called the Foundation is not.

What websites were affected the problem of, was open to the Foundation. The operators of vulnerable sites were previously informed about the vulnerability and has reportedly closed the gap to. According to the Foundation, the problem with all applications prior to that the Java library OpenID4Java use.

The weak point was the final version 0.9.6 of the library is closed with. Kay also the framework for Google App Engine is up to the now outdated vulnerable version 1.0.1 - currently is version 1.1.1. The Foundation does not rule out that other libraries are vulnerable. JanRain , Ping Identity and DotNetOpenAuth were probably not affected.

OpenID is an attempt to single sign-on system in the network to establish an open source. Users with a OpenID provider , Yahoo, WordPress and MySpace are registered as Google can access the login at participating web services using their.


Anonymous said...

That means that also we, bloggers are affected by this :( I hope nothing happens to us.

Gaston said...

RAWR! Evil people screwing non evil people through useful stuff, me no like. :(

fit4life said...

i hope nothing happens to me D: