What about spoofing pseudo-consumers?

Rasqual Twilight oid at rasqual.silk.com
Fri Nov 11 04:56:17 PST 2005

I've been thinking about what could be risky in the OpenID specifications.

Here is a scenario I came up with:

A malicious website (pseudo-consumer) tries to phish to careless users 
submitting an identity.
Then, knowing the URL of the OpenID server, the pseudo-consumer presents a 
cached login page by putting it in a frame or an iframe to hide its real 
The user, believing something went wrong with the server session, enters 
his/her login and password to log back in.
Finally, the pseudo-consumer can even pretend the auth went smoothly by 
logging in of the user.

Does it sound alarming, unlikely to you?
A tech user would probably not be deceived by this trick, but how about a 
general user?

OpenID: http://rasqual.twilight.hyde.ws/

More information about the yadis mailing list