Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cloud
    • Cybersecurity
    • Networking

    OpenID Foundation Warns Websites of Authentication Flaw

    By
    Fahmida Y. Rashid
    -
    May 9, 2011
    Share
    Facebook
    Twitter
    Linkedin

      The OpenID Foundation last week released a security bulletin warning of a serious bug that allows attackers to modify OpenID authentication data. Sites that have implemented OpenID 2.0 should check to see if the security hole exists and patch it immediately.

      OpenID is an open-source project that allows users to prove their identity without creating a username and password on the site. Facebook, Google, WordPress and Yahoo are some of the major Websites that allow users to log in using OpenID.

      Researchers discovered the issue in OpenID’s Attribute Exchange, a feature that allows a Website to receive the user’s identity information from an authorized server, the foundation said in its advisory on May 5. Some sites were not confirming that the information being sent by AX was signed, which meant that the site wouldn’t know if an attacker had modified the information while it was in transit between the requesting server and the OpenID server, according to the advisory.

      “If the site is only using AX to receive low-security information like a user’s self-asserted gender, then this will probably not be a problem. However if it is being used to receive information that it only trusts the identity provider to assert, then it creates the potential for an attack,” the OpenID Foundation said in the advisory.

      No attacks have been spotted in the wild exploiting the flaw. However, there is the threat that an attacker could use it to “modify information passed between parties and impersonate a user,” John Fontana, an evangelist at Ping Identity, wrote on the Ping Talk blog.

      Attackers would be able to manipulate the attributes during the OpenID transaction and gain access to the victim’s account, Fontana said.

      Researchers and OpenID Foundation board members contacted major Websites that were impacted, and the problem has been fixed on those sites, according to the foundation. The sites were not named in the advisory. Commercial services and libraries from Janrain, Ping Identity and DotNetOpenAuth were not affected by this issue, the OpenID Foundation said.

      Web administrators who suspect their applications are vulnerable should modify application code to accept only signed attribute values, the foundation suggested. Applications using OpenID4Java are the most vulnerable as they are prone to accepting unsigned attributes, so administrators should update to the latest version, 0.9.6, of the Java library if it is being used, the foundation said. The Kay Framework patched the flaw in Version 1.0.2.

      Security researchers Rui Wang, Shuo Chen and XiaoFeng Wang are credited for uncovering the flaw.

      The OpenID Foundatoin reported there were more than 9 million Websites using OpenID to allow users to register and log in to at least some portion of their site in December 2009. By using OpenID, users can authorize a site such as Google to act as a identity provider for other sites that have implemented OpenID, making it a form of single sign-on for multiple Websites. Google has proposed PseudoID, a mechanism to protect users that would prevent attackers from linking stolen sign-on credentials back to user accounts.

      Fahmida Y. Rashid

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×