OpenID Attribute Exchange flaw
Posted on 06 May 2011.
The OpenID Foundation has issued an alert for all sites using OpenID that don't confirm that the information passed through Attribute Exchange - the service extension for exchanging identity information between endpoints - was signed.

Apparently, when the information is not signed, an attacker is able to modify it. This in itself is not a big problem if the site uses Attribute Exchange to receive only low-security information, but could be a huge one if it receives information that it only trusts the identity provider to assert.

Fortunately, there is a fix for this vulnerability:
For apps that are vulnerable, we recommend modifying application code to accept only signed attribute values as an initial step. We confirmed apps using OpenID4Java are prone to accepting unsigned attributes. Please update to the latest version of this library (0.9.6 final) if you’re using it or any dependent libraries (such as Step2). Kay Framework was also vulnerable, but has since been patched in version 1.0.2. Other libraries may have the same issue though the default usage of services/libraries from Janrain, Ping Identity and DotNetOpenAuth are not susceptible to this attack.
Also, good news is the fact that attacks exploiting this flaw have not been detected so far, and that many of the affected sites have already been notified and have implemented the fix.






Spotlight

Almost 1 in 10 Android apps are now malware

Posted on 28 July 2014.  |  Cheetah Mobile Threat Research Labs analyzed trends in mobile viruses for Q1 and Q2 of 2014. Pulling 24.4 million sample files they found that 2.2 million files had viruses. This is a 153% increase from the number of infected files in 2013.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Mon, Jul 28th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //