OpenID Attribute Exchange flaw
Posted on 06 May 2011.
The OpenID Foundation has issued an alert for all sites using OpenID that don't confirm that the information passed through Attribute Exchange - the service extension for exchanging identity information between endpoints - was signed.

Apparently, when the information is not signed, an attacker is able to modify it. This in itself is not a big problem if the site uses Attribute Exchange to receive only low-security information, but could be a huge one if it receives information that it only trusts the identity provider to assert.

Fortunately, there is a fix for this vulnerability:
For apps that are vulnerable, we recommend modifying application code to accept only signed attribute values as an initial step. We confirmed apps using OpenID4Java are prone to accepting unsigned attributes. Please update to the latest version of this library (0.9.6 final) if youíre using it or any dependent libraries (such as Step2). Kay Framework was also vulnerable, but has since been patched in version 1.0.2. Other libraries may have the same issue though the default usage of services/libraries from Janrain, Ping Identity and DotNetOpenAuth are not susceptible to this attack.
Also, good news is the fact that attacks exploiting this flaw have not been detected so far, and that many of the affected sites have already been notified and have implemented the fix.






Spotlight

USBdriveby: Compromising computers with a $20 microcontroller

Posted on 19 December 2014.  |  Security researcher Samy Kamkar has devised a fast and easy way to compromise an unlocked computer and open a backdoor on it: a simple and cheap ($20) pre-programmed Teensy microcontroller.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Fri, Dec 19th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //