Published 19 years 2 months ago • Last updated March 22, 2025 • ⏱️ 2 min read
You place a tag on your blog/website which links to the OpenID server provider. Using this tag the OpenID server confirms that your blog should use authorisation through it's service. So when you enter your blog into a OpenID enabled web site it will ask for your password on the OpenID provider's service.
Well the hole in this service is the fact that in the specification it allows you login to a web site without a password, how so you say? Well when you login to the OpenID provider you enter your password and it remembers it (caches it) allowing any web site in the world to possibly abuse this.
Well I'm currently working on some more concept code to prove my theory but I've already produced an example that affected many OpenID providers.
http://janrain.com/blog/2007/03/22/myopenid-security-fix/
I can see the OpenID service being very popular and therefore producing a huge security risk, I care because I don't want a huge chunk of the internet exploited by the bad guys.
Easy! Ask for the password everytime a request to login to a web site is made. The OpenID provider needs to do this in order to prevent the attack above and also many other possible attacks. I want the OpenID specification to be changed to force OpenID providers to always ask for your password.