Dumb mode question

meepbear * meepbear at hotmail.com
Sat Jul 2 21:26:44 PDT 2005


Maybe I'm missing something totally obvious but what's keeping someone who 
runs a consumer from using dumb mode on other consumers to impersonate users 
that IDed to the consumer they're running?

John IDs to a consumer that Jack runs which is set to purposefully pass the 
server an invalid handle on checkid_immediate. The server will set 
invalidate_handle on mode == id_res, issue a new handle and the consumer is 
expected to drop back to dumb mode and issue a POST check_immediate.

Couldn't Jack now go to any other site and just copy/paste (of course make 
the path point to the other consumer and not his own) the GET request with 
mode == id_res to trick that other consumer into thinking it made a valid 
request but the server lost the handle and it's supposed to fallback to dumb 
mode?

But as far as I can tell, the server has no way of knowing whether 
check_authentication is coming from the right consumer or not. It's a POST 
so it can't rely on return_to. It can't authenticate the user either since 
the consumer is making the request.

It will rebuild the token and compare the HMAC hash to openid.sig but 
they'll match since it's valid data from Jack's consumer. It returns a valid 
assertion and now any other consumer will believe that Jack is John?




More information about the yadis mailing list