OpenID? Try Open To ID Phishing

Be aware of the possible downside of single cross-site sign-ons

Get the WebProNews Newsletter:

[ Social Media]

As major Internet players back OpenID, we were reminded of an Amsterdam computer student pointing out a trio of scenarios that makes the prospect of OpenID’s single sign-on method a scary prospect.

Usernames and passwords stopped being the end-all to online security years ago. Yet it’s the model touted by OpenID as a way to make one’s browsing more convenient.

Big name Internet players have bought in to the promise of a system where one’s OpenID just works across a variety of sites. But security pros know that their tasks require finding a balance between convenience and security, and Marco Slot demonstrated how OpenID could be too much convenience and too little security.

Slot presented three scenarios where phishing someone’s OpenID credentials presents little more of a challenge than writing (or copying) some PHP code. Two of the methods can be guarded against by providers who prudently consider the consequences.

The third scenario, a basic OpenID login box set up on a malicious web page, cuts the OpenID provider out entirely. Someone enters their credentials, and the evil people end up with a login combo that probably works on more sensitive sites.

Feed the login combo to a script that checks it against common financial and retail sites, and if the person used that username and password to login to any such site that does not offer an additional security factor, it’s game over.

As noted in a lengthy roundup of commentary on the Identity Corner blog from last August, the issues presented by OpenID don’t end with phishing. Tracking visits to websites by OpenID users is one example.

This discussion comes about as Google’s App Engine project debuted, and one coder created an application that turns a Google Account login into an OpenID credential. AdWords/AdSense clients in particular should be wary of using their Google Account this way. One bad phish could make finances very sick.

OpenID? Try Open To ID Phishing
Top Rated White Papers and Resources
  • kael

    Regarding credentials theft, it’s possible to use a <a href="http://norman.rasmussen.co.za/107/xmpp-auth-for-openid/>password-less  OpenID mechanism</a>.

  • mags

    I’m personally thrilled at the opportunities OpenID would unlock for blog spam.  I’d only have to defeat one CAPTCHA/Turing Test and I could use my spam account at multiple sites everywhere.


    It should bring exponential increases in spam and click farm efficiency.

  • Guest

    I cannot send e-mails since I have OpenID.  It presents a series of wiggly combinations of letters and numbers. When I enter the challange in the provided box, it offers another set of combinations to copy for entry.  It will not allow me to proceed past this point.  I was not aware that I joined OpenID but I noticed that I have it now.

    Can you help me?

  • http://www.certifiedbattery.com Todd

    I had a recent experience that is very similar… the issue of shared credentials being hacked.

    My Skype account was hacked and stolen, and as we had been – until this happened – happy paying skype users, we had setup the autorecharge function to add skype credit from our paypal account as needed.  i am sure you can guess where this is going.

    The skype thief drained $150 from my paypal before reaching the transfer limit, using it to buy skype credit on the network for other people.

    When I reported this to Skype and Paypal, neither company could give a damn that this happened.  Skype out right refused to do anything.  Paypal said, sorry, but the charges "look legitimate to us, so you will have to get Skype to reverse it". No big surprise that both companies are a part of the ebay mafia. 

    Eventually I was able to threaten Paypal enough times that they reversed the charges – but only because I use paypal in my business, and $150 is about a weeks fees.  I am amazed it took as long as it did for them to get the business case.  As for Skype, they prefer to keep their network for thieves and criminals, rather than having paying customers.  No problem.  We will never use it again.

    So, will I share my credentials on social networking sites?  Not on your life.

    I might even go back to rotary phone.

  • http://www.openfusion.net/ Gavin Carr

    The statement that "Usernames and passwords … [are] the model touted by OpenID" is incorrect – OpenID says nothing whatsoever about how the user is to be authenticated. You can use passwords, secure tokens, out-of-band authentication, retinal scans, or no authentication at all. That’s a provider policy decision that has nothing to do with OpenID.

    The general point that phishing becomes more valuable in a world of OpenID shared credentials is fair enough. On the other hand, shared credentials are already widespread in practice anyway. I’d hope that as OpenID becomes more popular providers will take the lead in providing and encouraging more secure forms of authentication than simple passwords.



  • Join for Access to Our Exclusive Web Tools
  • Sidebar Top
  • Sidebar Middle
  • Sign Up For The Free Newsletter
  • Sidebar Bottom