Suggested Fix to OpenID Attribute Exchange (AX) Authentication Vulnerability

Google Security team informs that a group of security researchers recently identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX) that could cause an authentication bypass vulnerability. This issue primarily impacts websites that act as relying parties using OpenID4Java library."The researchers determined that the affected sites weren't confirming that certain information […]

Google Security team informs that a group of security researchers recently identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX) that could cause an authentication bypass vulnerability. This issue primarily impacts websites that act as relying parties using OpenID4Java library.

"The researchers determined that the affected sites weren't confirming that certain information passed through AX was properly signed. If the site was only using AX to receive information like the user's self-asserted gender, then this issue would be minor. However, if it was being used to receive security-sensitive information that only the identity provider should assert, then the consequences could be worse," Google explains.

"The researchers contacted the primary websites they identified with this vulnerability, and those sites have already deployed a fix. There're no known cases of this attack being exploited at this point in time," added Google.

Suggested Fix:

  • As a first step, we recommend modifying vulnerable relying parties to accept AX attribute values only when signed, irrespective of how those attributes might get used.
  • During our investigation we confirmed that apps using the OpenID4Java library, with or without the Step2 wrapper, are prone to accepting unsigned AX attributes. OpenID4Java has been patched with the fix in version 0.9.6.662 (19th April, 2011).
  • Kay Framework was known to be vulnerable and has since been patched. Users should upgrade to version 1.0.2 or later. Note that Google App Engine developers that use its built-in OpenID support don't need to do anything.
  • Other libraries may have the same issue, although we don't believe that the default usage of OpenID services and libraries from Janrain, Ping Identity and DotNetOpenAuth are susceptible to this attack. However, the defaults may be overridden and you should double check your code for that.
  • We also suggest reviewing your usage of email addresses retrieved via OpenID to ensure that adequate safeguards are in place.

A detailed explanation of the use of claimed IDs and email addresses can be found in Google's OpenID best practices.

[Source: Google Code blog]