[prev in list] [next in list] [prev in thread] [next in thread]
List: openid-security
Subject: [security] User Impersonation
From: mart () degeneration ! co ! uk (Martin Atkins)
Date: 2007-03-05 18:29:42
Message-ID: 45EC6196.8090908 () degeneration ! co ! uk
[Download RAW message or body]
Paul C. Bryan wrote:
>
> 3. I the attacker, setup my attacking OpenID page
> (http://attacker.org/attackjohn.html) with the following link
> relationships:
>
> openid.server = http://rogeidp.org/openid
> openid.delegate = http://secureid.org/jsmith
>
> 4. I go to John's favorite Wiki site, where he has authored a lot of
> content and developed a reputation using his OpenID identity. I can
> authenticate with the site just as he does, and impersonate him in all
> of my further deeds.
>
> </scenario>
>
> So, am I missing something?
>
Yes, you are. :)
In the above situation, despite the "delegate" reference a site is
required to use the "claimed identifier"
http://attacker.org/attackjohn.html rather than the delegate identifier
http://secureid.org/jsmith, so even if http://rogeidp.org/openid
provides a positive assertion for http://secureid.org/jsmith the end
site will identify you as http://attacker.org/attackjohn.html. You have
gained nothing.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic