As many Rails projects use the OpenID service to authenticate its users, I want to bring some of its security issues to your attention which were announced recently. Gareth Heyes found a cross-site request forgery attack vector with MyOpenID, one of the bigger OpenID providers. MyOpenID reacted promptly, but other providers have the same problem. Here's what he writes:
When developing a OpenID system is very important to include form tokens in order to prevent CSRF attacks. The MyOpenID.com site had included form tokens but the token was stored in the URL of the site.
A more general article about OpenID security issues can be found on GNUCITIZEN.
Bookmark to
3 responses so far ↓
1 Brian Ellin // Aug 27, 2007 at 15:06
It’s important to note that CSRF is an internet-wide security problem, not limited only to OpenID servers.
Any rails app that does not use something like csrf-killer plugin or secure-action plugin is probably vulnerable to a variety of CSRF style attacks.
2 Heiko // Aug 28, 2007 at 0:10
You’re absolutely right, that’s why I posted it here. Thanks.
3 eugene // Aug 28, 2007 at 3:15
Check out the following slides and whitepaper for a further discussion of OpenID security
Leave a Comment