Jump to content

Categories:    Windows      Software      Hardware      Security      Mobile      Internet      Guides
Sponsored Links
Recent Forum Topics
Community Zone
MSFN Guides
Mobile News

MSFN Recommend
AskVG.com Bink Filehorse FreewareFiles Where unprofessional journalism looks better OSNN The Windows Club WinBeta lunarsoft
MSFN Statistics

Windows News
OpenID Security Flaw Lets Hackers Impersonate Users
Posted on May 09 2011 11:22 PM by xper in Security

Researchers have detected a serious vulnerability in some implementations of OpenID 2.0, which could enable malicious attackers to could gain unauthorized access to a user's account by altering traveling information. The security flaw, which exists in several instances of the parties that implement Attribute Exchange (AX), a function that permits sites to exchange information between endpoints, prevents some sites from confirming that the information passing through AX has been signed.

Subsequently, AX could validate all of the passing information, including the identity of an unknown user, which enables an attacker to modify the data to his or her advantage or impersonate a victim without detection.

"If the site is only using AX to receive low-security information like a user's self-asserted gender, then this will probably not be a problem," according to an OpenID advisory posted Thursday. "However, if it is being used to receive information that it only trusts the identity provider to assert, then it creates the potential for an attack."

In a successful attack scenario, hackers could manipulate the OpenID transaction and potentially access the victim’s account.

Researchers at OpenID have already created a fix for the flaw, and impacted Web sites have deployed the update.

Thus far, there are no known attacks in the wild exploiting the flaw.

Source: CRN

Your Comment?