The OpenID Foundation is warning users about a weakness in the software that could enable an attacker to change some of the data that’s exchanged between parties that use OpenID. The group is telling sites that implement OpenID to update to a new version in order to fix the problem.
The bug in OpenID lies in the way that the system’s Attribute Exchange, an extension to the OpenID system that gives sites the ability to exchange identity information between endpoints. OpenID, and open source project that enables users to prove their identity to myriad sites without providing their password, is used by a slew of popular sites, including Google, Yahoo and Flickr.
“The researchers determined that some sites were not confirming that the
information passed through AX was signed. That allows an attacker to
modify the information. If the site is only using AX to receive
low-security information like a users self-asserted gender, then this
will probably not be a problem. However if it is being used to receive
information that it only trusts the identity provider to assert, then it
creates the potential for an attack,” OpenID said in the advisory.
Prior to disclosing the vulnerability, the researchers who discovered it worked with OpenID to notify the major sites that implement OpenID and had vulnerable code. Those sites have made the fix.
“The researchers contacted the main websites impacted, and those sites
have deployed a fix. OpenID Foundation board members have worked to
identify other websites that were impacted and similarly have them
deploy a fix. There are no known examples of attacks using this
technique,” the advisory said.
John Fontana at Ping Identity, which uses OpenID, has more details on the issue in this post, which first brought the bug to light.
The major commercial products that implement OpenID, including Ping and others, aren’t vulnerable to this problem.