eYesterday, Gareth Heyes alerted us to a vulnerability in MyOpenID.com’s OpenID approval. Luckily, Gareth was one of the good guys and helped us to reproduce the problem, so that we could put out a fix within hours. It’s also fortunate that the vulnerability did not apply to the majority of MyOpenID.com’s users.
Who was exposed, and how?
If you are not a Safari user, you were not exposed to the vulnerability. In the past month, 3% of requests to MyOpenID.com came from browsers that identified themselves as Safari, so that means the vast majority of our users were not exposed. The vulnerability has been fixed, so no users are currently exposed to it.
The exploit allowed an attacker to sign a MyOpenID.com user into any OpenID consumer. Essentially, this attack exposed personal information (a confirmation that the user control a given MyOpenID.com URL and any information that’s in their default MyOpenID.com persona) to a third party site, without the user’s approval.
The attacker could also add the site to the user’s MyOpenID.com trusted sites list, so that further authentication requests would succeed without interaction if the user is signed in to MyOpenID.com.
The attacker was not be able to steal the user’s credentials (password), nor were they be able to sign in to a site as that user.
How can I tell if I have been exposed?
There are no known cases of malicious exploitation of this vulnerability in the wild. If you are a Safari user and a MyOpenID.com user, you can check your trusted sites list to see if there are any sites present that you did not authorize. You can get to your trusted sites list by signing in to MyOpenID.com by visiting your MyOpenID.com Settings page and clicking on the
How did it work?
Right now, Gareth is working with other OpenID providers to ensure that they are not vulnerable to similar attacks. We will make a later post about the technical details once those discussions are complete.
We take security seriously, and we welcome reports of potential security problems. Your feedback helps us make MyOpenID.com the best OpenID provider.