OpenID Attribute Exchange flaw

The OpenID Foundation has issued an alert for all sites using OpenID that don’t confirm that the information passed through Attribute Exchange – the service extension for exchanging identity information between endpoints – was signed.

Apparently, when the information is not signed, an attacker is able to modify it. This in itself is not a big problem if the site uses Attribute Exchange to receive only low-security information, but could be a huge one if it receives information that it only trusts the identity provider to assert.

Fortunately, there is a fix for this vulnerability:

For apps that are vulnerable, we recommend modifying application code to accept only signed attribute values as an initial step. We confirmed apps using OpenID4Java are prone to accepting unsigned attributes. Please update to the latest version of this library (0.9.6 final) if you’re using it or any dependent libraries (such as Step2). Kay Framework was also vulnerable, but has since been patched in version 1.0.2. Other libraries may have the same issue though the default usage of services/libraries from Janrain, Ping Identity and DotNetOpenAuth are not susceptible to this attack.

Also, good news is the fact that attacks exploiting this flaw have not been detected so far, and that many of the affected sites have already been notified and have implemented the fix.