Researchers have uncovered a flaw in some implementations of OpenID 2.0 that could allow a hacker to modify information passed between parties and impersonate a user.
The flaw is in several instances of the OpenID relying party logic that implements Attribute Exchange (AX). The relying party is one end of the identity validation flow that includes the identity provider (IDP) that issued the user an ID.
The researchers said that in certain cases the OpenID implementation of the RP does not confirm that all the information passed via the AX is signed. Despite not being signed, the AX trusts the data as valid, which allows attackers to change attributes without detection.
The OpenID Foundation (OIDF) announced the flaw Thursday on its Web site, posted a fix and said that major Web sites using the protocol have already applied updated libraries that address the flaw.
There are no known exploits in the wild. Several major service providers were affected, but were not named in the OIDF report.
“This is why god invented open source, so everyone can evaluate the code,” said Don Thibeau, executive director of the OpenID Foundation.
The OIDF said apps using OpenID4Java are prone to accepting unsigned attributes. OIDF advised users to update to the latest 0.9.6 version of the library. The Kay Framework was also deemed vulnerable and was patched in version 1.0.2.
The OIDF confirmed that the default usage of services/libraries from DotNetOpenAuth, Janrain and Ping Identity are not vulnerable to the attack.
According to the researchers, attackers can manipulate attributes at a point in the OpenID transaction and gain access to the victim’s account.
The OpenID Foundation said researchers Rui Wang, Shuo Chen and XiaoFeng Wang discovered the vulnerability.
OIDF suggested that users should modify the code of vulnerable apps to accept only signed attribute values as a first step to protecting their apps.