What about spoofing pseudo-consumers?
oid at rasqual.silk.com
Fri Nov 11 04:56:17 PST 2005
I've been thinking about what could be risky in the OpenID specifications.
Here is a scenario I came up with:
A malicious website (pseudo-consumer) tries to phish to careless users
submitting an identity.
Then, knowing the URL of the OpenID server, the pseudo-consumer presents a
cached login page by putting it in a frame or an iframe to hide its real
The user, believing something went wrong with the server session, enters
his/her login and password to log back in.
Finally, the pseudo-consumer can even pretend the auth went smoothly by
logging in of the user.
Does it sound alarming, unlikely to you?
A tech user would probably not be deceived by this trick, but how about a
More information about the yadis