OpenID_Phishing_Brainstorm


Background

This page is intended as a central place where anti-phishing ideas for OpenID are documented. Please see this thread on the OpenID general discussions list for more information. 

Attack Vector

The following use case is central to the issue:

  1. User visits a malicious RP page containing what looks like a regular OpenID login form.
  2. User enters OpenID URL
  3. Malicious RP redirects user to another page that looks like the user's OP (call this Fake-OP)
  4. Fake-OP asks user for password
  5. User not noticing the difference from his usual OP, enters his password
  6. Fake-OP now has user's password.

Note that anyone can set up the malicious RP, and techniques for spoofing varies in sophistication level.

A detailed description of the problem (not of the solution!) on Kim Cameron's blog 

OpenID Realm Spoofing

Similar to OpenID Phishing is OpenID Realm Spoofing. It is very easy to for a malicious RP to craft an Authentication Request with an openid.realm set to a trusted domain, including *.microsoft.com, *.google.com, *.aol.com, or *.go.com by using open redirect servers or by exploiting XSS flaws on the trusted domain. When signing in, the user's OP will assert to the user that they're signing into the trusted domain, when in fact, they're being redirected back to the malicious RP.

Steps to reproduce:

  1. User visits a malicious RP page that issues an Authentication Request to the user's OP with a spoofed realm. The spoofed realm is a realm that the user trusts, for instance, their bank, isp, email provider, an auction site, etc.
  2. The malicious RP hides its return_to behind an open redirect server on the spoofed realm, such the one on go.com: http://x.go.com/cgi/x.pl?goto=http://www.jyte.com
  3. User's OP displays the realm, and the user signs in, thinking that they're signing into the spoofed realm
  4. User is redirected back to the RP thinking that the fake RP is the spoofed realm

The key issue with Realm Spoofing is that the OP asserts to the user the identity of the RP. Because the realm is easily spoofed, and because users trust their OP, the OP can be used to phish users when they signin to a malicious RP. This issue could potentially result in huge liability risks for OPs whose users get phished because their OP told them that they were signing into a trusted site.

Additionally, Attribute Exchange is very dangerous because neither the user nor the OP knows where the user's data is being sent.

Mitigation

Scope of OpenID Authentication 2.0

It is generally agreed that the OpenID specifications suite needs to address the spoofing issue - whether or not it is in scope for OpenID Authentication.

 

Recommendations for OP

Recommendations for Users

Client-based Mitigation

Discussion on the topic of Phishing and OpenID

You can find lots of discussion on the OpenID General mailing list. In addition, there have been several blog posts on the topic: