Phishing attacks on OpenID

Xageroth Sekarius xageroth at
Wed Jun 1 18:36:54 PDT 2005

I do agree however this isn't something the least bit unique to OpenID
and anything that would combat phishing could be used to combat this.

The simplest method I can think of would be a verification image (or
sentence) supplied by the user upon account creation. Each time the
user is redirected by a site to their identity host (
their verification image will load. If their image doesn't load it
would easily catch the users attention, and the user should be advised
by their identity host to never continue without first seeing their
verification image.

This way, phishing is still technically possible, but would require a
lot more work and a more targetted attack involved.

More information about the yadis mailing list