I am wondering if the following procedure allows people to login with other people’s OpenID. The idea came to me when I heard about someone who made an OpenID server that would return as if the user was logged in no matter what user. Obviously this technique would only be annoying to the person who uses it, but this next one might affect others.
Let me paint you a picture of what I think could be done. I know Alper’s OpenID is http://alper.nl because I can see this on multiple sites and he even told me. Now let’s say I want to log in to his account at some site, without being logged in to his OpenID server. Obviously, when I try to login to that site with his OpenID, it would redirect to his OpenID server, which would not recognize me as a valid user.
Now let’s try something else: What if I would change my Hosts file (/etc/hosts on linux and mac) and make an entry for alper.nl, and have that direct to let’s say localhost? I could probably spoof the website I want to login to that I am redirecting to http://alper.nl while I’m actually not. Now that I have this I could run a server on my localhost that would return a valid response no matter who I am, or I could even delegate to my own OpenID server.
I haven’t tried this out, but I am very interested if there is any protection against these kind of measures. I hope, and expect, there is but I couldn’t find the answer anywhere. I even mailed Simon Willison for his advice, but I haven’t heard anything yet.
Related Posts:
- None
Comments(4) | TrackBack | Comments feed
