Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: Serious flaw in OpenID - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Serious flaw in OpenID

 

Last Thursday the OpenID foundation announced a serious weakness in the Attribute Exchange extension to OpenID which permits sites to exchange information between endpoints. Essentially, it is possible to pass information through Attribute Exchange unsigned, which could potentially permit an attacker to modify the information.
 
There are no known exploits at this time, and the major sites that use OpenID have been contacted and have deployed a fix. For the rest of you who have applications using OpenID the recommendation is to update the OpenID4Java library to 0.9.6 final.
 
Futher details are available at the Threatpost blog and the Ping Talk Blog.

 

-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Rick

290 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!