Phishing attacks on OpenID

Paul Crowley paul at
Wed Jun 1 18:24:05 PDT 2005

OpenID as currently specified provides the perfect setting for a 
devastating phishing attack.

I decide to comment on a blog entry, so I go to log in.  I 
get redirected to (note the 1) and presented with a log 
in page.  I wonder briefly what happened to my LJ login cookie, and type 
in my username and password. and conspire 
seamlessly to make it look like a successful login attempt.

The thing that makes this attack cunning is that (1) it won't ring any 
alarm bells in me - unlike an email saying "For security reasons, 
LiveJournal requires you to validate your login, please click the link 
below", everything that happens is completely part of the normal course 
of events, including events after typing in my password - and (2) it 
captures my SSO password, making it a valuable target for phishing attacks.

The only fix I can see is to back out of the whole idea of seamlessly 
logging in to the identity server if it doesn't already know who you 
are, and to replace that page with one that does not provide a login 
box, but that prompts you to look the site up in your bookmarks and log 
in that way, and warns you that that is always how you must log in and 
anything that says otherwise is a phishing attempt.  That's a little 
incovenient but I can't see a better strategy.
\/ o\ Paul Crowley, paul at

More information about the yadis mailing list