OpenID Warns of Serious Bugs in Some Implementations
Amidst the fallout of the latest bungled password service kerfuffle at LastPass, comes a warning from the OpenID foundation of a critically serious flaw in certain deployments of the product to suffer a certain level of inter-process data poisoning. More, below…
via the Kaspersky Lab Threatpost blogs' Dennis Fisher: "OpenID Warns of Serious Bugs in Some Implementations"
"The OpenID Foundation is warning users about a weakness in the software that could enable an attacker to change some of the data that's exchanged between parties that use OpenID. The group is telling sites that implement OpenID to update to a new version in order to fix the problem. The bug in OpenID lies in the way that the system's Attribute Exchange, an extension to the OpenID system that gives sites the ability to exchange identity information between endpoints. OpenID, and open source project that enables users to prove their identity to myriad sites without providing their password, is used by a slew of popular sites, including Google, Yahoo and Flickr…"