OpenID Warns of Serious Remote Bug, Urges Upgrade

← Back to Stories (view on slashdot.org)

OpenID Warns of Serious Remote Bug, Urges Upgrade

Posted by timothy on Saturday May 7, 2011 @12:12AM from the slew-of-myriads-of-plethoras dept.

Trailrunner7 writes "The OpenID Foundation is warning users about a weakness in the software that could enable an attacker to change some of the data exchanged between parties that use OpenID. The group is telling sites that implement OpenID to update to a new version in order to fix the problem. The bug in OpenID lies in the system's Attribute Exchange, an extension that gives sites the ability to exchange identity information between endpoints. OpenID, an open source project that enables users to prove their identity to myriad sites without providing their passwords, is used by a slew of popular sites, including Google, Yahoo and Flickr."

27 of 45 comments (clear)

Min score:

Reason:

Sort:

One more down by M0j0_j0j0 · 2011-05-07 00:29 · Score: 1

So, now, everyone is having a security auditing , guess why? By own experience, i can say , security is actually something you do not want to expend money on, of course when the shit hits the fan , it gets a pretty decent budget , until them, you are just paranoid!
Re:OpenID is a pile of crap. by growse · 2011-05-07 00:40 · Score: 2

I've not had to log into a stackoverflow site since the first time I logged in, about 3 months ago.

I conclude "You're doing it wrong".

--
There is nothing interesting going on at my blog
RTF linked post by Anonymous Coward · 2011-05-07 00:42 · Score: 4, Informative

http://www.pingidentity.com/blogs/pingtalk/index.cfm/2011/5/5/Researchers-find-OpenID-vulnerability-sites-patch-hole
This only affects sites that use OpenID's AttributeExchange. If you just use it for authentication (and use the relying party's claimed identifier as the protocol advises) you are not/never were vulnerable.
The concept of OpenID doesn't seem very secure by Bloodwine77 · 2011-05-07 00:57 · Score: 2

I can see using OpenID for throwaway accounts, but I would never use it for anything serious. I use different passwords for every site I visit, so if one site gets compromised then my other accounts are still safe. OpenID puts all the eggs in one basket, and that just doesn't sit well with me.
1. Re:The concept of OpenID doesn't seem very secure by Anonymous Coward · 2011-05-07 01:06 · Score: 2, Informative
  
  Given the average software developer's attention to security and the average company's attitude towards security, would you rather:
  -Deal with the hassle of creating a new password for each site (possibly with some per-site algorithm, that with enough compromises, could be deduced), and the associated inconvenience of remembering them all
  or:
  -Put all your eggs in one basket with an OpenID provider that *does* take security seriously (Google, Yahoo, etc. can function as OpenID relying parties - and you can also use two factor authentication with Google now), so that basket is extremely well protected, and dodge the issue of giving random sites on the internet a password entirely?
2. Re:The concept of OpenID doesn't seem very secure by Dunbal · 2011-05-07 01:09 · Score: 2
  
  OpenID puts all the eggs in one basket.
  Apparently it's more like a sieve than a basket. A sieve with very big holes where the eggs can fall out if you shake it enough.
  
  --
  Seven puppies were harmed during the making of this post.
3. Re:The concept of OpenID doesn't seem very secure by abulafia · 2011-05-07 01:26 · Score: 2
  
  Put all your eggs in one basket with an OpenID provider that *does* take security seriously (Google, Yahoo, etc. can function as OpenID relying parties - and you can also use two factor authentication with Google now), so that basket is extremely well protected, and dodge the issue of giving random sites on the internet a password entirely?
  That's easy. I would rather use per-site passwords.
  Even if you trust Google's security without qualification, which you shouldn't, as they've been compromised before both internally and externally, there is the problem of interest alignment. Your interests are not the same as Google's.
  As for deducing per-site passwords, well, if you can, then I'm doing it wrong, or you have either my master key or broken SHA2. And I don't remember any of them That is what password managers are for.
  Final thought- if you've convinced yourself of the wisdom depending on the almighty Google (or Yahoo, or whoever), you might want to watch and see if they happen to upgrade their OpenID system in the next little bit. Just a thought.
  
  --
  I forget what 8 was for.
4. Re:The concept of OpenID doesn't seem very secure by meba · 2011-05-07 01:29 · Score: 4, Informative
  
  There are ways... You can for example get a Yubi Key: http://www.yubico.com/yubikey, then get your own Drupal based OpenID provider: http://drupal.org/project/openid_provider and use http://drupal.org/project/yubikey module. Result? You host your own OpenID provider and everytime you want to use it, you need to have the Yubi Key - no one can steal your identity unless he steals your USB Key and your OTP
5. Re:The concept of OpenID doesn't seem very secure by brusk · 2011-05-07 01:38 · Score: 4, Funny
  
  If you're shaking a sieveful of eggs, the size of the holes isn't your biggest problem.
  
  --
  .sig withheld by request
6. Re:The concept of OpenID doesn't seem very secure by SuperQ · 2011-05-07 02:24 · Score: 4, Informative
  
  Then you don't understand the concept.
  OpenID allows you to keep your password AWAY from various sites. For example if I wanted to login to slashdot I can use any OpenID provider I want. This means that slashdot never gets my password. Slashdot gets a just-for-it token that my OpenID provider gives. If slashdot gets broken, no big deal that token can't be used for anything else, and my password is never released.
  Guess what, I run my own OpenID provider so the only one to blame for loss of my authentication is myself. My own server is the only thing that gets the password and that exchange is done entirely over SSL.
7. Re:The concept of OpenID doesn't seem very secure by dstar · 2011-05-07 02:46 · Score: 2
  
  OpenID allows you to keep your password AWAY from various sites.
  I think you mean 'OpenID allows you to train users to be vulnerable to phishing attacks'. 'Never type your password into a page unless you went directly to the site' is good advice; 'Never type your password into a page unless you went directly to the site or the site that sent you there claims to be using OpenID' is not.
8. Re:The concept of OpenID doesn't seem very secure by tepples · 2011-05-07 04:01 · Score: 1
  
  I would rather use per-site passwords. [...] That is what password managers are for.
  Which shifts the point of failure to each end user's computer: the operating system and the software used to store and retrieve these per-site passwords.
9. Re:The concept of OpenID doesn't seem very secure by cduffy · 2011-05-07 04:46 · Score: 1
  
  ...which is why OpenID providers who take security seriously (such as Verisign) refuse to display password entry in any request with a Referrer field.
10. Re:The concept of OpenID doesn't seem very secure by tepples · 2011-05-07 05:57 · Score: 1
  
  Any site that isn't exclusively ad-supported, such as any site that sells goods or services or takes donations, is "financial".
11. Re:The concept of OpenID doesn't seem very secure by Akzo · 2011-05-07 20:00 · Score: 1
  
  How do you know that the page hasn't been hijacked and is sending your password and other credentials to a third party? Once they get your OpenID they get access to everything.
  
  --
  Sig is for Signature, so you don't have to manually sign every post.
12. Re:The concept of OpenID doesn't seem very secure by EMN13 · 2011-05-07 21:29 · Score: 1
  
  Not quite; it trains your users to only ever enter their password into precisely one site. In addition to which, under common usage you'll already be signed in and will rarely need to enter a password in the first place.
  Also, your openid provider is free to use a less risky authentication method. E.g. if you use google's you might use two-factor authentication; a process that would be far too complex and annoying if it needed setting up for every site, but hardly problematic if used for just one or two.
13. Re:The concept of OpenID doesn't seem very secure by abulafia · 2011-05-08 04:13 · Score: 1
  
  Of course it does. That's exactly where I want the risk for my passwords.
  I'm not writing this from the perspective of an enterprise architect or a protocol designer, I'm talking about risk and incentives wearing the hat of an individual user.
  
  --
  I forget what 8 was for.
Bug? by Wowsers · 2011-05-07 03:00 · Score: 1

Is it a bug or feature of "Open" ID?

--
Take Nobody's Word For It.
Avoiding OpenID due to myOpenID fiasco by Anonymous Coward · 2011-05-07 04:07 · Score: 1

Some time ago myOpenID.com lost all (or some portion) of their registered accounts (afaik this was due to Amazon's cloud trouble). Which was annoying because I used it for my stackexchange login. As it turns out, I could just recreate my login with the same name and voila I could use it to access my stackexchange account. That means if someone had created an account with my name before I did they'd have full access to my SE account.
I never realised how potentially broken things could get with OpenID and I'm being a bit weary about ever using OpenID again, even though I suppose I should've been more careful about what OpenID provider I picked.
1. Re:Avoiding OpenID due to myOpenID fiasco by pslam · 2011-05-07 05:23 · Score: 1
  
  Some time ago myOpenID.com lost all (or some portion) of their registered accounts (afaik this was due to Amazon's cloud trouble). Which was annoying because I used it for my stackexchange login. As it turns out, I could just recreate my login with the same name and voila I could use it to access my stackexchange account. That means if someone had created an account with my name before I did they'd have full access to my SE account.
  These are problems with myOpenID not OpenID. You're mixing protocol and provider.
  I never realised how potentially broken things could get with OpenID and I'm being a bit weary about ever using OpenID again, even though I suppose I should've been more careful about what OpenID provider I picked.
  You even say it yourself: you should've been more careful picking an OpenID provider. In any case, what did you lose? Nothing. What could you potentially have lost? A login on StackExchange. Many people would love to only have that problem.
2. Re:Avoiding OpenID due to myOpenID fiasco by pslam · 2011-05-07 06:04 · Score: 1
  
  So yeah, OpenID is only as good as its providers, and it's been demonstrated to me that they can be pretty damn insecure, ergo, I'm avoiding using OpenID for now. Using it for everything makes the OpenID provider I picked a single point of failure. I hate having to use seperate accounts for everything but at least when something bad happens, it doesn't usually affect anything else.
  I just think this is like stopping driving just because one manufacturer made an unsafe car. You may be prematurely missing out - and making other people miss out - on what's potentially a good solution to password proliferation.
Re:I wonder how long it will take... by GameboyRMH · 2011-05-07 04:17 · Score: 1

They're already working on it:
http://www.wired.com/threatlevel/2011/04/obama-online-security/

--
"When information is power, privacy is freedom" - Jah-Wren Ryel
The actual "weakness" by Plombo · 2011-05-07 05:00 · Score: 2

The summary is very misleading. From TFA:

A group of security researchers identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX). See below for information on the suggested fix. The researchers determined that some sites were not confirming that the information passed through AX was signed. That allows an attacker to modify the information. If the site is only using AX to receive low-security information like a users self-asserted gender, then this will probably not be a problem. However if it is being used to receive information that it only trusts the identity provider to assert, then it creates the potential for an attack.
There are no AX attributes that all providers are required to support, nor are there any (as far as I know) available from enough providers to "trust the identity provider" for. Even the basic ones like name and email address can't be relied upon.
Before you log in to a site using OpenID, if you have a decent provider (Google and Launchpad both do this; I don't know about others), it will tell you exactly what information the relying site is asking for, and what it's going to send to the relying party. I have yet to see a relying site that uses AX for anything other than my email address and sometimes my name. And once you register on a site using OpenID, the site will ask you for that information anyway using the AX attributes as default form values if they are available, since AX can't be relied on to provide the information. This "weakness" in OpenID only exists for relying sites that use AX for "information that it only trusts the identity provider to assert", which only exist in theory. Calling this a "serious remote bug" is a joke.
And most importantly, the summary doesn't make clear that even on the theoretical sites where this is an actual problem, your login and valuable personal information cannot be compromised by this vulnerability, because AX is not used for any of that. That is what a "serious remote bug" in OpenID would be.
Misleading article & summary by ArwynH · 2011-05-07 05:00 · Score: 1

I just RTFA and it is just as confusing as the summary. I wish blog authors would at least try and understand the subject before writing about it.. OpenID is a specification. As far as I can tell the specification is safe, so implementations that follow the specification correctly are safe. However it seems that there are a few implementations that skip an important part of the process, namely input verification. Basically saying OpenID is broken because of this is like saying SQL is broken because some sites are vulnerable to SQL injection attacks.
1. Re:Misleading article & summary by EMN13 · 2011-05-07 21:35 · Score: 1
  
  It's more akin to saying that SQL is broken because some versions of PHP allow SQL injection. The bug was in two common library implementations and can be fixed merely by updating the library... I also love how the article sensationalizes the issue and calls this a "serious" vulnerability... how exactly is this vulnerability going to be exploited in a "serious" fashion? That sure doesn't sound easy to do for most openid uses...
Wow, really is an Open ID by AbrasiveCat · 2011-05-07 09:03 · Score: 1

Just I don't want my ID open to everyone.
Slashdot OpenID by theCoder · 2011-05-07 12:46 · Score: 1

Somewhat OT, but what happened to the ability to log into /. with my open ID? My account still has the OpenID associated with it, but the login area for /. doesn't seem to let me use an open ID anymore. Or is there a lesser known login area that lets one use open ID?

--
"Save the whales, feed the hungry, free the mallocs" -- author unknown