OpenID Warns of Serious Bug in Some Implementations

The OpenID Foundation is warning users about a weakness in the software that could enable an attacker to change some of the data that’s exchanged between parties that use OpenID. The group is telling sites that implement OpenID to update to a new version in order to fix the problem.

OpenID bugThe OpenID Foundation is warning users about a weakness in the software that could enable an attacker to change some of the data that’s exchanged between parties that use OpenID. The group is telling sites that implement OpenID to update to a new version in order to fix the problem.

The bug in OpenID lies in the way that the system’s Attribute Exchange, an extension to the OpenID system that gives sites the ability to exchange identity information between endpoints. OpenID, and open source project that enables users to prove their identity to myriad sites without providing their password, is used by a slew of popular sites, including Google, Yahoo and Flickr.

“The researchers determined that some sites were not confirming that the
information passed through AX was signed. That allows an attacker to
modify the information. If the site is only using AX to receive
low-security information like a users self-asserted gender, then this
will probably not be a problem. However if it is being used to receive
information that it only trusts the identity provider to assert, then it
creates the potential for an attack,” OpenID said in the advisory.

Prior to disclosing the vulnerability, the researchers who discovered it worked with OpenID to notify the major sites that implement OpenID and had vulnerable code. Those sites have made the fix.

“The researchers contacted the main websites impacted, and those sites
have deployed a fix. OpenID Foundation board members have worked to
identify other websites that were impacted and similarly have them
deploy a fix. There are no known examples of attacks using this
technique,” the advisory said.

John Fontana at Ping Identity, which uses OpenID, has more details on the issue in this post, which first brought the bug to light.

The major commercial products that implement OpenID, including Ping and others, aren’t vulnerable to this problem.

Suggested articles

Discussion

  • Anonymous on

    The scary thing is that data validation is a very basic first step towards security.  Most developers use frameworks because the framework takes care of the moniotonous heavy lifting.  I'm glad this wasn't exploited (as far as they know) but it could have been messy; especially with highly targeted sites (social media) using it.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.