Hi Andris,
What you suggest sounds a bit like realm spoofing? In that case it is a
known vulnerability of OpenID:
http://wiki.openid.net/w/page/12995216/OpenID_Phishing_Brainstorm
Best regards,
Bart van Delft
On 2013-12-21 10:12, Andris Atteka wrote:
Hi Everyone,
Google's Security Team suggested to ask this question here.
Attacker can perform the following steps:
1) Find an open redirect in some major website that leads to
attacker's website (and append fragment identifier to this URL)
2) Craft a URL and set redirect_url to the open redirect
3) Trick the victim into visiting the URL
As the URL belongs to a major website, most likely victim will accept
the RP and his identity will be leaked to attacker's site.
Here's an example (Google itself has some nice open redirects):
https://www.google.com/accounts/o8/ud?openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.ext0.mode=fetch_request&openid.ext0.required=email&openid.ext0.type.email=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ns.ext0=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ns.ui=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fui%2F1.0&openid.realm=https%3A%2F%2Fwww.google.com%2F&openid.return_to=https%3A%2F%2Fwww.google.com%2Fsearch%3FbtnI%26q%3Dallinurl%253A%252F%252Flva.lv%23aaa&openid.ui.icon=true&openid.ui.lang=en-US&openid.ui.mode=popup&third_party_login=false
This can even be extended so that user doesn't have to accept RP. For
this attacker would have to find an open redirect that shares domain
with some valid OpenID consumer (some major sites actually do this).
In this case user wouldn't even notice the identity leak.
Is this only a bug in Google's OpenID implementation or a bug in the
OpenID spec itself?
I do see the OpenID spec talking about normalization of identifiers
(including removal of fragment and fragment identifier). Does the same
apply to redirect_url? If not, would it be reasonable to include this
in the spec?
Regards,
Andris Atteka
andrisatteka.blogspot.com <http://andrisatteka.blogspot.com>
_______________________________________________
security mailing list
[email protected]
http://lists.openid.net/mailman/listinfo/openid-security
_______________________________________________
security mailing list
[email protected]
http://lists.openid.net/mailman/listinfo/openid-security
