San-Tsai Sun ; Konstantin Beznosov

21 October 2010

Abstract: OpenID is a promising user-centric Web single sign-on protocol. According to the OpenID Foundation, there are currently more than one billion OpenID-enabled user accounts provided by major service providers such as Google, Yahoo and AOL. In this presentation, I will present OpenID security analysis and the evaluation results on 200 OpenID-enabled websites. Our preliminary result shows that more than 50% of OpenID-enabled websites are vulnerable to cross-site request forgery attack (CSRF) that allow an attacker to modify the victim's account profile information directly; and 75% of evaluated websites allow an attacker to force the victim to login their websites as the attacker stealthily. With additional practical adversary capabilities (e.g., trick users to use a malicious wireless access point or install a malicious browser extension) that enable an attacker to intercept the authentication response from the identity provider, the attacker can impersonate the victim on 65% of OpenID-enabled websites and re-masquerade the victim on 6% of the websites by simply applying the intercepted authentication responses. To the end, I will demonstrate the attack vectors employed in the evaluation process and discuss our proposed countermeasure for the current OpenID-enabled websites and future OpenID specification.

Keyword(s): OpenID ; Security Analysis ; Security Evaluation

Published in: San-Tsai Sun and Konstantin Beznosov, "OpenID Security Analysis and Evaluation," presented at the OWASP Chapter Meeting, Vancouver, Canada, October 21th 2010: