Slashdot Mirror

← Back to Stories (view on slashdot.org)

OAuth, OpenID Password Crack Could Affect Millions

Posted by Soulskill on from the letmein-123456 dept.

CWmike writes "Researchers Nate Lawson and Taylor Nelson say they've discovered a basic security flaw that affects dozens of open-source software libraries — including those used by software that implements the OAuth and OpenID standards — that are used to check passwords and user names when people log into websites such as Twitter and Digg. By trying to log in again and again, cycling through characters and measuring the time it takes for the computer to respond, hackers can ultimately figure out the correct passwords. This may all sound very theoretical, but timing attacks can actually succeed in the real world. Three years ago, one was used to hack Microsoft's Xbox 360 gaming system, and people who build smart cards have added timing attack protection for years. The researchers plan to discuss their attacks at the Black Hat conference later this month in Las Vegas."

5 of 304 comments (clear)

  1. Every password can be broken by Some.Net(Guy) · · Score: 2, Funny

    It's just a matter of time. Anyone seen Swordfish?

  2. Re:OpenID by Reason58 · · Score: 5, Funny

    Wait, doesn't slashdot use OpenID?

    hahahah

    DISREGARD THAT I SUCK COCKS

  3. lolswordfish by crow_t_robot · · Score: 4, Funny
    Just drop a logic bomb through the trap door, right?

    That movie makes me cringe.

  4. Re:Why the fuzz? by maxume · · Score: 5, Funny

    The sarcastic answer is development.

    --
    Nerd rage is the funniest rage.
  5. Re:Add a random delay by Michael+Kristopeit · · Score: 1, Funny
    1) submit password
    2) measure delay of response.

    that's it.... the delay is a single measurement of time that the "timing-based attack" is based on.

    if every single individual measurement of time was obfuscated in some way that created a fixed delay plus a random delay as a function of the original delay, then the whole or the average of multiple samples of the whole is irrelevant.

    billions of attempts would still not get close enough to an exploitable level of confidence.

    if the hidden value is irrelevant, and the averages of samples reveal the hidden value... then the averages of samples is also irrelevant, but you've wasted the stupid attackers time in believing that a timing-based attack might be possible.

    you are as dumb as every other youth to attend the kansas bible camp.

    completely ignorant.