Non-recoverable auth failure?

Evan Martin evan.martin at gmail.com
Fri Jun 24 10:09:44 PDT 2005


On 6/24/05, Brad Fitzpatrick <brad at danga.com> wrote:
> Yes, phishing will still happen, but let's not encourage it.

One plausible attack is this:  if I discover some place where HTML
isn't escaped in an LJ page, I can construct a URL to that page that
contains the HTML to cover the page with an iframe on my evil site. 
>From the user's perspective, they're on an LJ page with a crazy URL so
it looks ok.

Ways to help avoid this:
1) Include on the openid auth page the text: "Verify that the URL bar
says livejournal.com/auth/openid.bml, if it's not you may be getting
phished" or whatever it is.
2) Show the user some personal information that makes them more likely
to trust the site, like userpics, etc.  Unfortunately the phishers can
just download the userpics.  If the user has hidden any of their
userinfo you can say something like "to prove this is really LJ, I'll
mention that you were born in 1986, despite that being non-public
info".


More information about the yadis mailing list