Feeds

OpenID warns of 'psychic paper' authentication attack

Baddies can modify cross-site personal data ... though no one has yet

Choosing a cloud hosting partner with confidence

OpenID has warned of bugs in its authentication technology that create a possible means for hackers to modify data sent between sites.

The flaw is noteworthy because many high-profile sites – including Google, Yahoo! and Flickr – use the technology so that once users have logged into one site, they aren't constantly prompted for passwords. Thousands of smaller sites also use the technology.

The security weakness stems from an implementation flaw in authentication exchange, an extension to the OpenID system that gives sites the ability to exchange identity information between endpoints. The bug meant that proper checks on whether authentication information had been correctly signed were not carried out in some cases, thus creating a mechanism for hackers to offer false information that is accepted as genuine.

The security bug has been confirmed in OpenID4Java and Kay Framework, but is not necessarily limited to them. Both libraries have been updated. Janrain, Ping Identity and DotNetOpenAuth are immune from the bug.

There's no evidence that hackers have actually carried out any "psychic paper" trick along these lines, but the mere fact that the cryptography was weak is good reason enough for OpenID to advise sites to update their technology to a new version, without vulnerable implementations, or apply patches designed to plug the security hole, as explained in an advisory by OpenID here.

"For apps that are vulnerable, we recommend modifying application code to accept only signed attribute values as an initial step," it said.

OpenID credits security researchers Rui Wang, Shuo Chen and XiaoFeng Wang with discovering the flaw. ®

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.