The Risks with OpenID
A few months ago, PuneTech carried an article by Hemant Kulkarni of Pune-based singleid.net giving an overview of OpenID, an up and coming technology that addresses a real pain point of anybody who has used the web – it removes the need to remember different passwords for different sites. This is called single-sign on or SSO in security parlance. More importantly, it achieves this with high security, without having to pass passwords all over the place. Actually, OpenID is much more than than this – read the whole article for more details.
Now, Rohit Srivastwa, founder of ClubHack (a group of volunteers dedicated to increasing awareness of security issues in Pune and elsewhere), has created a presentation on the risks associated with OpenID (for more information about Rohit, see his PuneTech wiki profile):
Basically, he points out that a bunch of standard, well-known security attacks (we’ve listed some of them at the end of this article) that have been developed by hackers will also work against your OpenID provider (if you don’t know what provider means in this context, you really should skim that overview article), and that results in the criminals being able to access all your online accounts with the convenience and security of single-sign-on provided by OpenID. Not the effect you were trying for, eh?
So what is to be done? This doesn’t mean that OpenID is bad. In fact, it is great and will make online life much easier. All you need to do is be aware of the risks, and be more careful. Specifically, don’t use OpenID or single-sign-on for banks or credit card account access until we tell you otherwise. Always use https. When in doubt, be paranoid – just because you aren’t paranoid, doesn’t mean they aren’t all out to get you. And don’t take any biscuits from strangers (you’ll be surprised how many people do that on Pune-Nashik buses). And get free education on security issues from the activities of ClubHack.
Some background about security attacks
These days, one of the most important (and easiest to fall for) security risks is the possibility of getting phished. A phishing attack is one in which criminals create a website that looks just like some other website (e.g. your bank’s website) and then tricks you into divulging important information (like account number, password etc.) to them.
There are a bunch of other scary attacks possible – man-in-the-middle attack, replay attack, cross-site request forgery, and cross-site scripting attack.
A man-in-the-middle attack is when an evil website sits between you and your bank website. It pulls all information from the bank website and shows it to you – so it looks like the real thing. And it takes inputs (account number, PIN codes etc.) from you and passes them on to the bank site so that it is able to access your account and show you authentic information from your account. However, along the way, it has managed to get access to your account without your knowledge.
A cross-site request forgery is an attack where malicious code to access your bank account is embedded (and hidden) in the webpage at another website – maybe some chat forum that you visit. Here’s an example from the wikipedia:
For example, one user, Bob, might be browsing a chat forum where another user, Mallory, has posted a message. Suppose that Mallory has crafted an HTML image element that references a script on Bob’s bank’s website (rather than an image file), e.g.,
If Bob’s bank keeps his authentication information in a cookie, and if the cookie hasn’t expired, then the attempt by Bob’s browser to load the image will submit the withdrawal form with his cookie, thus authorizing a transaction without Bob’s approval.
A cross-site scripting (XSS) attack, is a vulnerability in which a hacker can inject malicious scripts (i.e. a little program that sits inside your webpage) into otherwise genuine webpages, and hence it is able to do something terrible either to your local computer, or your account.
Note: these exploits are not specific to OpenID. These are well-known attacks that are used all over the web in all kinds of situations. Wikipedia claims that 68% of all websites are vulnerable to XSS attacks. If you are now afraid of using your computer, shouldn’t even read this article that gives an idea of how the underground hacker economy works. But do contact ClubHack to get yourself educated on basic security hygiene. To paraphrase QuickHeal‘s marketing message, aap ke PC meiN kauN rehta hai? Hacker ya ClubHack? (Incidentally, QuickHeal happens to be a Pune-based company, which is giving multi-nationals like Symantec a run for their money (incidentally, Symantec happens to have its largest R&D center in Pune (incidentally, did you notice that Pune is a very happening place technologically? (incidentally, I think you should let everybody know about how happening a place Pune is (technologically speaking) by asking them to subscribe to PuneTech)))).