Phishing attacks on OpenID

Jason Nelson Jason at nterface.com
Wed Jun 1 19:08:38 PDT 2005 

An independent concern if you ask me. 

The threat of phishing exists anywhere that passwords are exchanged. User's
need to be cautious about whom they give their password out to especially
when coming from a site that hasn't gain their trust (eg: badguys.com). 

A better approach may be to train user's to check the URL carefully before
entering their credentials. I don't think we shouldn't degrade the overall
user experience for this reason.

Jason Nelson
Software Architect / President
nterface, LLC

-----Original Message-----
From: yadis-bounces at lists.danga.com [mailto:yadis-bounces at lists.danga.com]
On Behalf Of Paul Crowley
Sent: 06/01/2005 6:24 PM
To: yadis at lists.danga.com
Subject: Phishing attacks on OpenID

OpenID as currently specified provides the perfect setting for a 
devastating phishing attack.

I decide to comment on a badguys.com blog entry, so I go to log in.  I 
get redirected to livejourna1.com (note the 1) and presented with a log 
in page.  I wonder briefly what happened to my LJ login cookie, and type 
in my username and password.  badguys.com and livejourna1.com conspire 
seamlessly to make it look like a successful login attempt.

The thing that makes this attack cunning is that (1) it won't ring any 
alarm bells in me - unlike an email saying "For security reasons, 
LiveJournal requires you to validate your login, please click the link 
below", everything that happens is completely part of the normal course 
of events, including events after typing in my password - and (2) it 
captures my SSO password, making it a valuable target for phishing attacks.

The only fix I can see is to back out of the whole idea of seamlessly 
logging in to the identity server if it doesn't already know who you 
are, and to replace that page with one that does not provide a login 
box, but that prompts you to look the site up in your bookmarks and log 
in that way, and warns you that that is always how you must log in and 
anything that says otherwise is a phishing attempt.  That's a little 
incovenient but I can't see a better strategy.
-- 
   __
\/ o\ Paul Crowley, paul at ciphergoth.org
/\__/ http://www.ciphergoth.org/
_______________________________________________
yadis mailing list
yadis at lists.danga.com
http://lists.danga.com/mailman/listinfo/yadis

More information about the yadis mailing list