OpenID Vulnerable To Authentication Attack Flaw

The OpenID Foundation last week released a security bulletin warning of a serious bug that would allow attackers to modify OpenID authentication data. Sites that have implemented OpenID 2.0 should check their sites to see if the security hole exists and patch it immediately.

OpenID is an open source project that allows users to prove their identity without creating a username and password on the site. Facebook, Google, WordPress and Yahoo are some of the major websites that allow users to log in using OpenID.

OpenID Attribute Exchange

Researchers discovered the issue in OpenID’s Attribute Exchange, a feature that allows a website to receive the user’s identity information from an authorised server, the foundation said in its advisory on May 5. Some sites were not confirming that the information being sent by AX was signed, which meant that the site wouldn’t know if an attacker had modified the information while it was in transit between the requesting server and the OpenID server, according to the advisory.

“If the site is only using AX to receive low-security information like a user’s self-asserted gender, then this will probably not be a problem. However if it is being used to receive information that it only trusts the identity provider to assert, then it creates the potential for an attack,” the OpenID Foundation said in the advisory.

No attacks have been spotting in the wild exploiting the flaw. However, there is the threat that an attacker could use it to “modify information passed between parties and impersonate a user”, John Fontana, an evangelist at Ping Identity, wrote on the Ping Talk blog.

Attackers would be able to manipulate the attributes during the OpenID transaction and gain access to the victim’s account, Fontana said.

Major websites

Researchers and OpenID Foundation board members contacted major websites that were impacted and the problem has been fixed on those sites, according to the foundation. The sites were not named in the advisory. Commercial services and libraries from Janrain, Ping Identity and DotNetOpenAuth were not affected by this issue, OpenID Foundation said.

Web administrators who suspect their applications are vulnerable should modify application code to accept only signed attribute values, the foundation suggested. Applications using OpenID4Java are the most vulnerable as they are prone to accepting unsigned attributes, so administrators should update to the latest version, 0.9.6, of the Java library if it is being used, the foundation said. The Kay Framework patched the flaw in version 1.0.2.

Security researchers Rui Wang, Shuo Chen and XiaoFeng Wang are credited for uncovering the flaw.

The OpenID Foundatoin reported there were more than 9 million websites using OpenID to allow users to register and login to at least some portion of the site in December 2009. By using OpenID, users can authorise a site such as Google to act as a identity provider for other sites that have implemented OpenID, making it a form of single sign-on for multiple websites. Google has proposed PseudoID, a mechanism to protect users that would prevent attackers from linking stolen sign-on credentials back to user accounts.

Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

Share
Published by
Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.
Tags: attackflaw

Recent Posts

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

19 hours ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

20 hours ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

21 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

22 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

1 day ago