Published 18 years 6 months ago • Last updated March 22, 2025 • ⏱️ 2 min read
Many developers often design their system security based on what the software does; this is a mistake you should always design a security system based on what your software might do. I'm quite surprised when people don't understand this, I often think of potential scenarios and discuss flaws in a current implementation based on those scenarios. Just because something doesn't work now, doesn't mean it won't in future. Here I shall discuss three scenarios based on OpenID account security.
Attack: The attacker constructs a Google query to gather a list of valid OpenID indentity pages, they then use a regular expression to gain the username (OpenID Identifier). The attacker then tries either a dictionary attack or simply uses the username as the password.
Defense:
Attack: A buddy system is launched to enable OpenID users to communicate with each other, the problem is not many providers protect against registration of official looking account names. For example webmaster, root, admin and administrator.
Defense:
Attack: The bad guys find a cross domain exploit in a major browser, because the passwords on OpenID providers are often saved, the attacker can gather the HTML source and form tokens. Users and web sites are now under full control of the bad guy.
Defense: It's pretty much game over when a cross domain exploit is found but a provider can have systems in place to help minimise damage.