The OpenID mechanism that allows users to designate a Website to authenticate them as valid users on other sites may not be implemented correctly, researchers warned.
The OpenID Foundation last week released a security bulletin
warning of a serious bug that allows attackers to modify OpenID
authentication data. Sites that have implemented OpenID 2.0 should check to see if the security hole exists and patch it immediately.
OpenID is an open-source project that allows users to prove
their identity without creating a username and password on the site. Facebook,
Google, WordPress and Yahoo are some of the major Websites that allow users to
log in using OpenID.
Researchers discovered the issue in OpenID's
, a feature that allows a Website to receive the user's
identity information from an authorized server, the foundation said in its
advisory on May 5. Some sites were not
confirming that the information being sent by AX was signed, which meant that
the site wouldn't know if an attacker had modified the information while it was
in transit between the requesting server and the OpenID server, according to
"If the site is only using AX to receive low-security
information like a user's self-asserted gender, then this will probably not be a
problem. However if it is being used to receive information that it only trusts
the identity provider to assert, then it creates the potential for an
attack," the OpenID Foundation said in the advisory.
No attacks have been spotted in the wild exploiting the
flaw. However, there is the threat that an attacker could use it to "modify
information passed between parties and impersonate a user," John Fontana, an
evangelist at Ping Identity, wrote on the Ping
Attackers would be able to manipulate the attributes during
the OpenID transaction and gain access to the victim's account, Fontana said.
Researchers and OpenID Foundation board members contacted
major Websites that were impacted, and the problem has been fixed on those
sites, according to the foundation. The sites were not named in the advisory.
Commercial services and libraries from Janrain, Ping Identity and DotNetOpenAuth
were not affected by this issue, the OpenID Foundation said.
Web administrators who suspect their applications are
vulnerable should modify application code to accept only signed attribute
values, the foundation suggested. Applications using OpenID4Java are the most
vulnerable as they are prone to accepting unsigned attributes, so
administrators should update to the latest version, 0.9.6, of the Java library
if it is being used, the foundation said. The Kay Framework patched the flaw in Version 1.0.2.
Security researchers Rui Wang, Shuo Chen and XiaoFeng Wang
are credited for uncovering the flaw.
The OpenID Foundatoin reported there were more than 9 million Websites using OpenID to allow users to register and log in to at least some
portion of their site in December 2009. By using OpenID, users can authorize a
site such as Google to act as a identity provider for other sites that have
implemented OpenID, making it a form of single sign-on for multiple Websites.
Google has proposed PseudoID, a mechanism to protect users that would prevent
attackers from linking stolen sign-on credentials back to user accounts.