I can confirm Verisign have now fixed this vulnerability. I'm very pleased with the response times of OpenID providers, keep up the good work and I'm sure OpenID can become a secure service for everyone.
Note to other vendors I may change the proof of concept to use your site if you do not use any frame protection. On Mon, 15 Oct 2007 10:02:12 +0100 [EMAIL PROTECTED] wrote: >Hi all > >I've create a proof of concept which highlights the problem of >single sign on providers not providing iframe protection and >remembering the password. > >The demo uses a Verisign account (It was the first provider I >found >without iframe protection) > ><http://www.thespanner.co.uk/2007/09/28/openid-security-css- >overlays/> > >Cheers > >Gareth > >_______________________________________________ >security mailing list >[email protected] >http://openid.net/mailman/listinfo/security _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
