Phishing attacks on OpenID
Jason at nterface.com
Wed Jun 1 19:08:38 PDT 2005
An independent concern if you ask me.
The threat of phishing exists anywhere that passwords are exchanged. User's
need to be cautious about whom they give their password out to especially
when coming from a site that hasn't gain their trust (eg: badguys.com).
A better approach may be to train user's to check the URL carefully before
entering their credentials. I don't think we shouldn't degrade the overall
user experience for this reason.
Software Architect / President
From: yadis-bounces at lists.danga.com [mailto:yadis-bounces at lists.danga.com]
On Behalf Of Paul Crowley
Sent: 06/01/2005 6:24 PM
To: yadis at lists.danga.com
Subject: Phishing attacks on OpenID
OpenID as currently specified provides the perfect setting for a
devastating phishing attack.
I decide to comment on a badguys.com blog entry, so I go to log in. I
get redirected to livejourna1.com (note the 1) and presented with a log
in page. I wonder briefly what happened to my LJ login cookie, and type
in my username and password. badguys.com and livejourna1.com conspire
seamlessly to make it look like a successful login attempt.
The thing that makes this attack cunning is that (1) it won't ring any
alarm bells in me - unlike an email saying "For security reasons,
LiveJournal requires you to validate your login, please click the link
below", everything that happens is completely part of the normal course
of events, including events after typing in my password - and (2) it
captures my SSO password, making it a valuable target for phishing attacks.
The only fix I can see is to back out of the whole idea of seamlessly
logging in to the identity server if it doesn't already know who you
are, and to replace that page with one that does not provide a login
box, but that prompts you to look the site up in your bookmarks and log
in that way, and warns you that that is always how you must log in and
anything that says otherwise is a phishing attempt. That's a little
incovenient but I can't see a better strategy.
\/ o\ Paul Crowley, paul at ciphergoth.org
yadis mailing list
yadis at lists.danga.com
More information about the yadis