Dumb mode question
meepbear at hotmail.com
Sat Jul 2 21:26:44 PDT 2005
Maybe I'm missing something totally obvious but what's keeping someone who
runs a consumer from using dumb mode on other consumers to impersonate users
that IDed to the consumer they're running?
John IDs to a consumer that Jack runs which is set to purposefully pass the
server an invalid handle on checkid_immediate. The server will set
invalidate_handle on mode == id_res, issue a new handle and the consumer is
expected to drop back to dumb mode and issue a POST check_immediate.
Couldn't Jack now go to any other site and just copy/paste (of course make
the path point to the other consumer and not his own) the GET request with
mode == id_res to trick that other consumer into thinking it made a valid
request but the server lost the handle and it's supposed to fallback to dumb
But as far as I can tell, the server has no way of knowing whether
check_authentication is coming from the right consumer or not. It's a POST
so it can't rely on return_to. It can't authenticate the user either since
the consumer is making the request.
It will rebuild the token and compare the HMAC hash to openid.sig but
they'll match since it's valid data from Jack's consumer. It returns a valid
assertion and now any other consumer will believe that Jack is John?
More information about the yadis