OpenID Warns of Serious Remote Bug, Urges Upgrade

Trailrunner7 writes "The OpenID Foundation is warning users about a weakness in the software that could enable an attacker to change some of the data exchanged between parties that use OpenID. The group is telling sites that implement OpenID to update to a new version in order to fix the problem. The bug in OpenID lies in the system's Attribute Exchange, an extension that gives sites the ability to exchange identity information between endpoints. OpenID, an open source project that enables users to prove their identity to myriad sites without providing their passwords, is used by a slew of popular sites, including Google, Yahoo and Flickr."

Re:

[growse]

I've not had to log into a stackoverflow site since the first time I logged in, about 3 months ago.

I conclude "You're doing it wrong".

One more down

[M0j0_j0j0]

So, now, everyone is having a security auditing , guess why? By own experience, i can say , security is actually something you do not want to expend money on, of course when the shit hits the fan , it gets a pretty decent budget , until them, you are just paranoid!

RTF linked post

[Anonymous Coward]

http://www.pingidentity.com/blogs/pingtalk/index.cfm/2011/5/5/Researchers-find-OpenID-vulnerability-sites-patch-hole

This only affects sites that use OpenID's AttributeExchange. If you just use it for authentication (and use the relying party's claimed identifier as the protocol advises) you are not/never were vulnerable.

Re:

[GameboyRMH]

They're already working on it:

http://www.wired.com/threatlevel/2011/04/obama-online-security/ [wired.com]

The concept of OpenID doesn't seem very secure

[Bloodwine77]

I can see using OpenID for throwaway accounts, but I would never use it for anything serious. I use different passwords for every site I visit, so if one site gets compromised then my other accounts are still safe. OpenID puts all the eggs in one basket, and that just doesn't sit well with me.

Re:

[Anonymous Coward]

Given the average software developer's attention to security and the average company's attitude towards security, would you rather:

-Deal with the hassle of creating a new password for each site (possibly with some per-site algorithm, that with enough compromises, could be deduced), and the associated inconvenience of remembering them all

or:

-Put all your eggs in one basket with an OpenID provider that *does* take security seriously (Google, Yahoo, etc. can function as OpenID relying parties - and you can als

Re:

[abulafia]

Put all your eggs in one basket with an OpenID provider that *does* take security seriously (Google, Yahoo, etc. can function as OpenID relying parties - and you can also use two factor authentication with Google now), so that basket is extremely well protected, and dodge the issue of giving random sites on the internet a password entirely?

That's easy. I would rather use per-site passwords.

Even if you trust Google's security without qualification, which you shouldn't, as they've been compromised before both internally and externally, there is the problem of interest alignment. Your interests are not the same as Google's.

As for deducing per-site passwords, well, if you can, then I'm doing it wrong, or you have either my master key or broken SHA2. And I don't remember any of them That is what password managers are for.

Final thought-

Re:

[tepples]

I would rather use per-site passwords. [...] That is what password managers are for.

Which shifts the point of failure to each end user's computer: the operating system and the software used to store and retrieve these per-site passwords.

Re:

[tepples]

Any site that isn't exclusively ad-supported, such as any site that sells goods or services or takes donations, is "financial".

Re:

[abulafia]

Of course it does. That's exactly where I want the risk for my passwords.

I'm not writing this from the perspective of an enterprise architect or a protocol designer, I'm talking about risk and incentives wearing the hat of an individual user.

Re:

[Dunbal]

OpenID puts all the eggs in one basket.

Apparently it's more like a sieve than a basket. A sieve with very big holes where the eggs can fall out if you shake it enough.

Re:The concept of OpenID doesn't seem very secure

[brusk]

If you're shaking a sieveful of eggs, the size of the holes isn't your biggest problem.

Re:The concept of OpenID doesn't seem very secure

[meba]

There are ways... You can for example get a Yubi Key: http://www.yubico.com/yubikey [yubico.com], then get your own Drupal based OpenID provider: http://drupal.org/project/openid_provider [drupal.org] and use http://drupal.org/project/yubikey [drupal.org] module. Result? You host your own OpenID provider and everytime you want to use it, you need to have the Yubi Key - no one can steal your identity unless he steals your USB Key and your OTP

Re:The concept of OpenID doesn't seem very secure

[SuperQ]

Then you don't understand the concept.

OpenID allows you to keep your password AWAY from various sites. For example if I wanted to login to slashdot I can use any OpenID provider I want. This means that slashdot never gets my password. Slashdot gets a just-for-it token that my OpenID provider gives. If slashdot gets broken, no big deal that token can't be used for anything else, and my password is never released.

Guess what, I run my own OpenID provider so the only one to blame for loss of my authentication is myself. My own server is the only thing that gets the password and that exchange is done entirely over SSL.

Re:

[dstar]

OpenID allows you to keep your password AWAY from various sites.

I think you mean 'OpenID allows you to train users to be vulnerable to phishing attacks'. 'Never type your password into a page unless you went directly to the site' is good advice; 'Never type your password into a page unless you went directly to the site or the site that sent you there claims to be using OpenID' is not.

Re:

[cduffy]

...which is why OpenID providers who take security seriously (such as Verisign) refuse to display password entry in any request with a Referrer field.

Re:

[EMN13]

Not quite; it trains your users to only ever enter their password into precisely one site. In addition to which, under common usage you'll already be signed in and will rarely need to enter a password in the first place.

Also, your openid provider is free to use a less risky authentication method. E.g. if you use google's you might use two-factor authentication; a process that would be far too complex and annoying if it needed setting up for every site, but hardly problematic if used for just one or two.

Re:

[Akzo]

How do you know that the page hasn't been hijacked and is sending your password and other credentials to a third party? Once they get your OpenID they get access to everything.

Bug?

[Wowsers]

Is it a bug or feature of "Open" ID?

Avoiding OpenID due to myOpenID fiasco

[Anonymous Coward]

Some time ago myOpenID.com lost all (or some portion) of their registered accounts (afaik this was due to Amazon's cloud trouble). Which was annoying because I used it for my stackexchange login. As it turns out, I could just recreate my login with the same name and voila I could use it to access my stackexchange account. That means if someone had created an account with my name before I did they'd have full access to my SE account.

I never realised how potentially broken things could get with OpenID and I'

Re:

[pslam]

Some time ago myOpenID.com lost all (or some portion) of their registered accounts (afaik this was due to Amazon's cloud trouble). Which was annoying because I used it for my stackexchange login. As it turns out, I could just recreate my login with the same name and voila I could use it to access my stackexchange account. That means if someone had created an account with my name before I did they'd have full access to my SE account.

These are problems with myOpenID not OpenID. You're mixing protocol and pr

Re:

[pslam]

So yeah, OpenID is only as good as its providers, and it's been demonstrated to me that they can be pretty damn insecure, ergo, I'm avoiding using OpenID for now. Using it for everything makes the OpenID provider I picked a single point of failure. I hate having to use seperate accounts for everything but at least when something bad happens, it doesn't usually affect anything else.

I just think this is like stopping driving just because one manufacturer made an unsafe car. You may be prematurely missing ou

The actual "weakness"

[Plombo]

The summary is very misleading. From TFA:

A group of security researchers identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX). See below for information on the suggested fix. The researchers determined that some sites were not confirming that the information passed through AX was signed. That allows an attacker to modify the information. If the site is only using AX to receive low-security information like a users self-asserted gender, then this will probably not be a problem. However if it is being used to receive information that it only trusts the identity provider to assert, then it creates the potential for an attack.

There are no AX attributes that all providers are required to support, nor are there any (as far as I know) available from enough providers to "trust the identity provider" for. Even the basic ones like name and email address can't be relied upon.

Before you log in to a site using OpenID, if you have a decent provider (Google and Launchpad both do this; I don't know about others), it will tell you exactly what information the relying site is asking for, and what it'

Misleading article & summary

[ArwynH]

I just RTFA and it is just as confusing as the summary. I wish blog authors would at least try and understand the subject before writing about it.. OpenID is a specification. As far as I can tell the specification is safe, so implementations that follow the specification correctly are safe. However it seems that there are a few implementations that skip an important part of the process, namely input verification. Basically saying OpenID is broken because of this is like saying SQL is broken because some s

Re:

[EMN13]

It's more akin to saying that SQL is broken because some versions of PHP allow SQL injection. The bug was in two common library implementations and can be fixed merely by updating the library... I also love how the article sensationalizes the issue and calls this a "serious" vulnerability... how exactly is this vulnerability going to be exploited in a "serious" fashion? That sure doesn't sound easy to do for most openid uses...

Wow, really is an Open ID

[AbrasiveCat]

Just I don't want my ID open to everyone.

Slashdot OpenID

[theCoder]

Somewhat OT, but what happened to the ability to log into /. with my open ID? My account still has the OpenID associated with it, but the login area for /. doesn't seem to let me use an open ID anymore. Or is there a lesser known login area that lets one use open ID?