Slashdot Mirror

← Back to Stories (view on slashdot.org)

OAuth, OpenID Password Crack Could Affect Millions

Posted by Soulskill on from the letmein-123456 dept.

CWmike writes "Researchers Nate Lawson and Taylor Nelson say they've discovered a basic security flaw that affects dozens of open-source software libraries — including those used by software that implements the OAuth and OpenID standards — that are used to check passwords and user names when people log into websites such as Twitter and Digg. By trying to log in again and again, cycling through characters and measuring the time it takes for the computer to respond, hackers can ultimately figure out the correct passwords. This may all sound very theoretical, but timing attacks can actually succeed in the real world. Three years ago, one was used to hack Microsoft's Xbox 360 gaming system, and people who build smart cards have added timing attack protection for years. The researchers plan to discuss their attacks at the Black Hat conference later this month in Las Vegas."

1 of 304 comments (clear)

  1. Re:Or do not have variable delays at all by ibsteve2u · · Score: 0, Offtopic

    Holy cow! All of those links, when all I wanted was an unbreakable solution in 12 words or less?!

    Now I must get back to my MegaMillions results predicting code...

    --
    Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"