Questions? Start a Support Ticket
User Registration
Customer Login

Knowledgebase

Portal Home > Knowledgebase > Articles Database > OpenID: Security mistake?


OpenID: Security mistake?




Posted by zxc_mehran, 01-04-2010, 08:52 AM
hi to all, if you have been worked with openid, you shuld know how that works. Okay. I have an account in yahoo.com named "john22" I use it's OpenID to login to ... site. i can successfully login to ... site with that. my username is john22 in ... as it was in yahoo.com. --- now --- if somebody creates an account in google named john22 and use it's openid to login to ... site, so he got my position! and can steal my info, talk with my name, and etc. How is openID safe for it? sorry for bad english. tnx.
Posted by Xeentech, 01-04-2010, 01:44 PM
It's safer than this, because.. this is not how OpenID works. If the OpenID "consumer" site, in you example "... site" stores usernames as arbitrary user supplied strings like "john22" then that is a security problem and a huge bug of that certain site. Site's don't store the user ID like that, they store the OpenID URL because that is the unique identifier. Some sites may show a friendly version ("john22") but they'll still be storing the proper UID.
Posted by zxc_mehran, 01-05-2010, 07:50 AM
Thank you man!
Posted by Crothers, 01-05-2010, 08:40 AM
As Xeentech said, OpenID should be storing the URL as the unique identifier to each site. What this basically means is this: You register for an OpenID enabled site at a.example.com You login to b.example.com with your OpenID from a.example.com Site b then stores a specific a.example.com profile, which will ONLY work for the user you signed up with, with an a.example.com url. It does not use usernames at all for authentication, so there is zero risk of overlap (if implemented properly). Also when you login with an OpenID site, you should ONLY enter your password on the OpenID providers site (a.example.com).
Posted by zxc_mehran, 01-06-2010, 05:12 AM
okay, im going to store those URLs somewhere as an unique identifier. tnx4ur help.


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
[ New UK Hosting Directory ] UK Host Dir Launches (Views: 767)
I am starting in the reselling business and have some questions (Views: 718)
How to install Geo IP on Windows ? (Views: 718)
I need USA server (Views: 810)
Switching from Bungeecode to another resller ... please advise (Views: 723)


Language:

Our Services

Client Menu

Legal

Terms of Service | Privacy Policy | Refund Policy | Affiliates
Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.