Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Serious flaw in OpenID - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Serious flaw in OpenID


Last Thursday the OpenID foundation announced a serious weakness in the Attribute Exchange extension to OpenID which permits sites to exchange information between endpoints. Essentially, it is possible to pass information through Attribute Exchange unsigned, which could potentially permit an attacker to modify the information.
There are no known exploits at this time, and the major sites that use OpenID have been contacted and have deployed a fix. For the rest of you who have applications using OpenID the recommendation is to update the OpenID4Java library to 0.9.6 final.
Futher details are available at the Threatpost blog and the Ping Talk Blog.


-- Rick Wanner - rwanner at isc dot sans dot org - - Twitter:namedeplume (Protected)


324 Posts
ISC Handler
May 9th 2011

Sign Up for Free or Log In to start participating in the conversation!