[ISN] OpenID warns of 'psychic paper' authentication attack

From: InfoSec News <alerts_at_private>
Date: Tue, 10 May 2011 02:32:15 -0500 (CDT)

By John Leyden
The Register
9th May 2011

OpenID has warned of bugs in its authentication technology that create a 
possible means for hackers to modify data sent between sites.

The flaw is noteworthy because many high-profile sites -- including 
Google, Yahoo! and Flickr -- use the technology so that once users have 
logged into one site, they aren't constantly prompted for passwords. 
Thousands of smaller sites also use the technology.

The security weakness stems from an implementation flaw in 
authentication exchange, an extension to the OpenID system that gives 
sites the ability to exchange identity information between endpoints. 
The bug meant that proper checks on whether authentication information 
had been correctly signed were not carried out in some cases, thus 
creating a mechanism for hackers to offer false information that is 
accepted as genuine.

The security bug has been confirmed in OpenID4Java and Kay Framework, 
but is not necessarily limited to them. Both libraries have been 
updated. Janrain, Ping Identity and DotNetOpenAuth are immune from the 


Tegatai Managed Colocation: Four Provider Blended
Tier-1 Bandwidth, Fortinet Universal Threat Management,
Natural Disaster Avoidance, Always-On Power Delivery 
Network, Cisco Switches, SAS 70 Type II Datacenter. 
Find peace of mind, Defend your Critical Infrastructure.
Received on Tue May 10 2011 - 00:32:15 PDT

This archive was generated by hypermail 2.2.0 : Tue May 10 2011 - 00:42:24 PDT