Possible OpenID exploit?
I am wondering if the following procedure allows people to login with other people’s OpenID. The idea came to me when I heard about someone who made an OpenID server that would return as if the user was logged in no matter what user. Obviously this technique would only be annoying to the person who uses it, but this next one might affect others.
Let me paint you a picture of what I think could be done. I know Alper’s OpenID is http://alper.nl because I can see this on multiple sites and he even told me. Now let’s say I want to log in to his account at some site, without being logged in to his OpenID server. Obviously, when I try to login to that site with his OpenID, it would redirect to his OpenID server, which would not recognize me as a valid user.
Now let’s try something else: What if I would change my Hosts file (/etc/hosts on linux and mac) and make an entry for alper.nl, and have that direct to let’s say localhost? I could probably spoof the website I want to login to that I am redirecting to http://alper.nl while I’m actually not. Now that I have this I could run a server on my localhost that would return a valid response no matter who I am, or I could even delegate to my own OpenID server.
I haven’t tried this out, but I am very interested if there is any protection against these kind of measures. I hope, and expect, there is but I couldn’t find the answer anywhere. I even mailed Simon Willison for his advice, but I haven’t heard anything yet.
If you can’t find an answer give the exploit a try to see
I think I will try it in a couple of weeks. Wednesday I leave for the Netherlands, so I have to try it either tommorow or when I get back.
Ok, I gave my theory a quick run by making a fake entry that routes alper.nl to localhost. Somehow though I never see the browser linking to that page but directly to Alper’s true provider http://myopenid.com. I suspect that the OpenID protocol get’s this first step at the server side.
After this I tried to make a fake entry to the myopenid site, but that didn’t really help because another redirect is not possible. The solution I think is to run a “free” server that gives a valid response anytime, and then link the dns entry in the hosts file for myopenid to that server.
This is more work and will have to try that later.
This will not actually work unless you can redirect both the client and web server machines to the malicious OpenID server.
If memory serve me corectly OpenID can function in two ways.
1) The best is when the web server contacts the OpenID server and that agree on a secret to encrypt there communication by. Although the communication is via the client without the secret (that only the web server and OpenID server knows) you can not get the evil OpenID server to pretend to be the good one.
2) The other solution is where the details are passed between the OpenID and web servers via the client unencrypted. When this happens the web server should ask the OpenID server directly if what it received from the client is true.
You might have noticed that in both these scenarios the web server contacts the OpenID server in a way that bypasses the client completely so the server can not be spoofed.
…so in summary it is not actually problem at all, provided the person implementing the web site does not take any stupid short cuts and miss out part of the communication to save some coding time. With library available for most platforms there really is not need to take these shortcuts.