Last Thursday the OpenID foundation announced a serious weakness in the Attribute Exchange extension to OpenID which permits sites to exchange information between endpoints. Essentially, it is possible to pass information through Attribute Exchange unsigned, which could potentially permit an attacker to modify the information.
There are no known exploits at this time, and the major sites that use OpenID have been contacted and have deployed a fix. For the rest of you who have applications using OpenID the recommendation is to update the OpenID4Java library to 0.9.6 final.
-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)
May 9th 2011
8 years ago