Hi Alexander, First things first, Google specifically addresses this point in their Authentication Best Practices<http://code.google.com/googleapps/marketplace/best_practices.html#attributes>document. Informed users will already be made aware of this problem with relying on AX.
In the second place, Google verifies that email addresses do, in fact, belong to accounts, so this is a non-issue for people building extensions/addons for the Google Apps platform. The only time this could ever be a remote problem -- and I emphasize remote -- is if app authors are allowing federation with non-Google OpenID endpoints. We address this point in our app by checking that the OpenID endpoint is the Google one (not a third party's) to ensure the AX address can't be spoofed. This isn't a big problem for most users of Google Apps. However, if you like solving these kinds of problems, come work for Wishery<http://www.linkedin.com/company/wishery/careers>where we build on Google Apps, and treat security as a first-class concern. DA On Thu, Oct 6, 2011 at 5:31 PM, Alyxandor <[email protected] > wrote: > Please refer to the AX_EMAIL and other AX parameters. Google OpenID will > send a mail parameter back to your auth point. > > http://code.google.com/apis/accounts/docs/OpenID.html > Search the page for openid.ax.type.email > > > There is a known vulnerability with Attribute eXchange that can be avoided > with libraries like Step2 or integrated appengine login. > I'm not sure what libraries you are using to perform auth, so be aware that > non-google openID providers can easily spoof this to hack your app. > Since you are doing a gmail gadget, so long as you do not allow users to > enter any domain as openID provider, you should be ok... > But if users can, in any way, provide an arbitrary domain to login with, > you should use additional encryption options to ensure the AX email contains > the same domain as the openID provider. > > > http://googlecode.blogspot.com/2011/05/security-advisory-to-websites-using.html > > Also, note that gmail gadgets {or at least the gwt gmail gadgets I've > built} use a proxy server for your requests, and it will have a new session > id with each request. > If you need to track authenticated session, you may want to use cookies or > store an in-memory copy of the authed session key and send it along with > every request. > > -- > You received this message because you are subscribed to the Google Groups > "Google Apps Domain Information and Management APIs" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/google-apps-mgmt-apis/-/2M6gKiLOw7MJ. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/google-apps-mgmt-apis?hl=en. > -- David R. Albrecht / [email protected] http://davidralbrecht.com/ +1 (312) 445-0883 @davidralbrecht -- You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-apps-mgmt-apis?hl=en.
