I’m pleased to announce Verisign have fixed the CSS overlay vulnerability I disclosed. It is good news that the OpenID providers respond well to security reports as I think security is extremely important especially with a single sign on service. Verisign acted very professionally and communicated well and fixed the flaw promptly.

Many developers often design their system security based on what the software does; this is a mistake you should always design a security system based on what your software might do. I’m quite surprised when people don’t understand this, I often think of potential scenarios and discuss flaws in a current implementation based on those […]

Update… Verisign have now fixed the vulnerability. I’ve wrote about this before but I’m sure that some people might not know the risks involved, so I’ve created a demonstration of how to use CSS and iframe overlays to take any section of a web site and place it on any other web site. The user […]

Background I contacted MyOpenID about a vulnerability I found with their system, I was really impressed with these guys, they responded to my email in a day and within 2 days they had fixed the problem. I decided to keep quiet about this vulnerability because many other providers contained a similar flaw and I worked […]

How it works You place a tag on your blog/website which links to the OpenID server provider. Using this tag the OpenID server confirms that your blog should use authorisation through it’s service. So when you enter your blog into a OpenID enabled web site it will ask for your password on the OpenID provider’s […]