What about spoofing pseudo-consumers?

Martin Atkins mart at degeneration.co.uk
Fri Nov 11 06:38:58 PST 2005

Rasqual Twilight wrote:
> I've been thinking about what could be risky in the OpenID specifications.
> Here is a scenario I came up with:
> A malicious website (pseudo-consumer) tries to phish to careless users 
> submitting an identity.
> Then, knowing the URL of the OpenID server, the pseudo-consumer presents a 
> cached login page by putting it in a frame or an iframe to hide its real 
> URL.
> The user, believing something went wrong with the server session, enters 
> his/her login and password to log back in.
> Finally, the pseudo-consumer can even pretend the auth went smoothly by 
> logging in of the user.
> Does it sound alarming, unlikely to you?
> A tech user would probably not be deceived by this trick, but how about a 
> general user?

If I'm understanding you right, the root of your concern is that a 
consumer will pretend that the user needs to log into his homesite 
before his identity can be validated, thus obtaining the login 
credentials for the homesite.

For this reason, servers are recommended to display warnings that the 
user should ensure that the URL shown in the address bar is correct 
before continuing, and honest consumers are recommended not to open the 
server requests in a way which obscures this information.

Your frame/iframe trick would not allow the site to pretend to be, say, 

It *is* a concern, but it's a social rather than a technical one. It has 
to be fixed by educating users and helping them make good trust judgements.

More information about the yadis mailing list