Reputation: 1083
Does AOL OpenID allow account ID spoofing?
When authenticating to any site (including stackoverflow) with an AOL OpenID, it appears that you can specify any fake username in the form, then enter a valid AOL username/password on the AOL OpenID site, and the target web site (e.g. stackoverflow) will be told that authentication succeeded, but with the FAKE username.
My question is, is this the way OpenID is supposed to work, or is AOL doing something wrong, or am I just misunderstanding what's going on?
I came across this on my own project, and after hours of debugging, decided to see if I could reproduce it on a well established site.
I went to stackoverflow, clicked "log in", clicked the AOL logo, and entered "asdf" as the username. It took me to the AOL OpenID site, where I entered my true AOL username/password. I was then returned to stackoverflow, which said:
Confirm OpenID
This OpenID does not have an account on Stack Overflow yet:
http://openid.aol.com/asdf
Create New Account
I clicked "Create" and there's now an "http://openid.aol.com/asdf" account on stackoverflow (sorry! I tried to delete it but don't see how).
This doesn't seem right... and in my app, it means that the identifier I'm using for my users may not be accurate/valid... it might even be possible for someone unscrupulous to come along, enter someone elses AOL OpenID username/URL into a login box, authenticate with a valid AOL username/password, and then gain access to the other account on the target web site?
On OpenID provider sites that return a unique identifier, like Google or Yahoo, this doesn't seem to be an issue.
Thanks for any suggestions... this is driving me crazy on my development effort...
Upvotes: 4
Views: 718
Answers (3)
Reputation: 146
Can you please try your test again? I believe the issue is resolved.
Upvotes: 1
Reputation: 81801
This would be a (extremely serious) bug in the AOL OpenID Provider. However, I just tried them and it didn't work for me. Maybe they fixed it. Can you try again?
Upvotes: 1
Reputation: 23479
An OpenID relying party (stackoverflow) is supposed to perform discovery on the ID you give it (asdf) in order to find the OpenID provider (AOL). Then, when you have logged in to the provider and it sends back a positive ID assertion, the relying party is supposed to verify that the claimed ID in the assertion matches the earlier-discovered information. This is how OpenID prevents spoofing. If stackoverflow is using the originally-entered ID instead of the ID in the final assertion without verifying a match, that would be a bug.
(I'm over-simplifying a little, but that's the gist of it. Read the spec for details, particularly on delegation and the difference between a claimed ID and a local ID.)
Here is a site that will test this verification:
http://www.test-id.net/RP/VerifyAssertionDiscovery.aspx
Here are more tests:
Also, the provider is allowed to assert that any ID in its own realm belongs to you, as long as it never asserts that the same ID belongs to someone else. This allows a provider to generate (on your behalf) a different ID for each relying party you visit, so you can't be tracked across multiple sites using the same ID. It's a privacy feature (though I don't know if any providers implement it yet).
Upvotes: 3
Related Questions
- Open Id accounts with ASP.Net Identity
- AOL openid website verification
- Anyone that had the aol oauth api working?
- How do you get AOL's OpenID site verification to work?
- Does OpenId support Ajax login?
- How to make dotnetopenid work with AOL
- AOL OpenID?
- Is it possible for an Android application to use Open-ID service?
- Are OpenID Identity URLs sensitive information?
- (OpenID) Can I use ClaimedIdentifier to look up users?