Opened 12 years ago

Closed 7 years ago

#19 closed Bug/Something is broken (fixed)

MFPL OpenID provider confirmation page doesn't distinguish between two simultaneous requests, vulnerable to CSRF

Reported by: http://users.livejournal.com/_dkg_/ Owned by: Jamie McClelland
Priority: Medium Component: Tech
Keywords: openid Cc:
Sensitive: no

Description

Looking at the source for the MFPL-offered OpenID confirmation page is really worrisome. It doesn't appear to distinguish which particular request is being acted on. Even worse, this seems to make it vulnerable to cross-site request forgeries.

Try the following:

  • Pick two sites which accept OpenID logins. call them A and B.
  • Start the authentication process with site A. Get all the way up to the point of confirming with the mayfirst OpenID service, but don't confirm yet.
  • In a new browser window or tab, go through the same process with site B, but again, stop just short of confirming.
  • Switch back to the confirmation page for site A, and choose "Confirm". It will confirm for site B.

While this is really bad (users might confirm authentication for a site they didn't mean to confirm) the CSRF possibilities are even worse. A malicious site could set up a javascript-based "submit" button which automatically triggers "confirm" on your mayfirst OpenID provider page, which defeats the purpose of asking the user to confirm -- the remote web site is in control. All they need is for you to already be logged into your MFPL OpenID session, and for them to guess your MFPL OpenID URL, and they can automatically verify that it is you.

Change History (6)

comment:1 Changed 12 years ago by jsm

This is troubling.

I wonder if this is part of the server implementation or the libraries or the protocol?

Haven't had a chance to test yet, but will soon. If this is a weakness in the library or with the library's test server implementation, we should post a bug to http://www.openidenabled.com/.

comment:2 Changed 12 years ago by jsm

Component: Tech
Owner: set to Jamie McClelland
Priority: Help/SupportMedium
Type: publicBug/Something is broken

Re-categorizing

comment:3 Changed 12 years ago by Daniel Kahn Gillmor

Keywords: openid added

comment:4 Changed 12 years ago by Daniel Kahn Gillmor

Summary: MFPL OpenID confirmation page doesn't distinguish between two simultaneous requests, vulnerable to CSRFMFPL OpenID provider confirmation page doesn't distinguish between two simultaneous requests, vulnerable to CSRF

comment:5 Changed 12 years ago by Jamie McClelland

This is still a problem with the new PHP stand alone server.

comment:6 Changed 7 years ago by Daniel Kahn Gillmor

Resolution: fixed
Status: newclosed

I think this is resolved with our switch to Drupal as an OpenID provider; it has reasonable CSRF protection.

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.