Phishing attacks on OpenID
paul at ciphergoth.org
Wed Jun 1 18:24:05 PDT 2005
OpenID as currently specified provides the perfect setting for a
devastating phishing attack.
I decide to comment on a badguys.com blog entry, so I go to log in. I
get redirected to livejourna1.com (note the 1) and presented with a log
in page. I wonder briefly what happened to my LJ login cookie, and type
in my username and password. badguys.com and livejourna1.com conspire
seamlessly to make it look like a successful login attempt.
The thing that makes this attack cunning is that (1) it won't ring any
alarm bells in me - unlike an email saying "For security reasons,
LiveJournal requires you to validate your login, please click the link
below", everything that happens is completely part of the normal course
of events, including events after typing in my password - and (2) it
captures my SSO password, making it a valuable target for phishing attacks.
The only fix I can see is to back out of the whole idea of seamlessly
logging in to the identity server if it doesn't already know who you
are, and to replace that page with one that does not provide a login
box, but that prompts you to look the site up in your bookmarks and log
in that way, and warns you that that is always how you must log in and
anything that says otherwise is a phishing attempt. That's a little
incovenient but I can't see a better strategy.
\/ o\ Paul Crowley, paul at ciphergoth.org
More information about the yadis