OpenID Attribute Exchange flaw
Posted on 06 May 2011.
The OpenID Foundation has issued an alert for all sites using OpenID that don't confirm that the information passed through Attribute Exchange - the service extension for exchanging identity information between endpoints - was signed.

Apparently, when the information is not signed, an attacker is able to modify it. This in itself is not a big problem if the site uses Attribute Exchange to receive only low-security information, but could be a huge one if it receives information that it only trusts the identity provider to assert.

Fortunately, there is a fix for this vulnerability:
For apps that are vulnerable, we recommend modifying application code to accept only signed attribute values as an initial step. We confirmed apps using OpenID4Java are prone to accepting unsigned attributes. Please update to the latest version of this library (0.9.6 final) if you’re using it or any dependent libraries (such as Step2). Kay Framework was also vulnerable, but has since been patched in version 1.0.2. Other libraries may have the same issue though the default usage of services/libraries from Janrain, Ping Identity and DotNetOpenAuth are not susceptible to this attack.
Also, good news is the fact that attacks exploiting this flaw have not been detected so far, and that many of the affected sites have already been notified and have implemented the fix.






Spotlight

(IN)SECURE Magazine issue 43 released!

Posted on 16 September 2014.  |  (IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics. This issue covers web application security, mobile hacking, certification, Black Hat, and much more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Sep 17th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //