OpenID Attribute Exchange flaw
Posted on 06 May 2011.
The OpenID Foundation has issued an alert for all sites using OpenID that don't confirm that the information passed through Attribute Exchange - the service extension for exchanging identity information between endpoints - was signed.

Apparently, when the information is not signed, an attacker is able to modify it. This in itself is not a big problem if the site uses Attribute Exchange to receive only low-security information, but could be a huge one if it receives information that it only trusts the identity provider to assert.

Fortunately, there is a fix for this vulnerability:
For apps that are vulnerable, we recommend modifying application code to accept only signed attribute values as an initial step. We confirmed apps using OpenID4Java are prone to accepting unsigned attributes. Please update to the latest version of this library (0.9.6 final) if you’re using it or any dependent libraries (such as Step2). Kay Framework was also vulnerable, but has since been patched in version 1.0.2. Other libraries may have the same issue though the default usage of services/libraries from Janrain, Ping Identity and DotNetOpenAuth are not susceptible to this attack.
Also, good news is the fact that attacks exploiting this flaw have not been detected so far, and that many of the affected sites have already been notified and have implemented the fix.


Pen-testing drone searches for unsecured devices

You're sitting in an office, and you send a print job to the main office printer. You see or hear a drone flying outside your window. Next thing you know, the printer buzzes to life and, after spitting out your print job, it continues to work and presents you with more filled pages than you expected.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Oct 9th