OpenID security issues
Friday, 29 June 2007
I contacted MyOpenID about a vulnerability I found with their system, I was really impressed with these guys, they responded to my email in a day and within 2 days they had fixed the problem. I decided to keep quiet about this vulnerability because many other providers contained a similar flaw and I worked with them to eliminate their problems.
When developing a OpenID system is very important to include form tokens in order to prevent CSRF attacks. The MyOpenID.com site had included form tokens but the token was stored in the URL of the site.
Proof of concept
This POC no longer works as MyOpenID has fixed it, I am releasing it here to show other providers the problem of CSRF. It works by opening a new window to the OpenID enabled web site and performs a login check; the window then connects to the provider (MyOpenID) and displays the Allow URL, Deny URL etc. If the user has already logged onto their provider and saved their password, the script then gathers the form token from the URL (Safari only) using a vulnerability I found and submits a form with the correct form token and successfully adds the site to the trusted list without user interaction.
I strongly recommend that all providers confirm the password before adding a site to their trusted list and also include form tokens within the request form.