Home » Open Source Software

OAuth and OpenID: Serious Security Flaw Discovered

by | Friday, 16th Jul 2010 | 1 Comment | Share

According to Nate Lawson and Taylor Nelson from Root Labs, OpenID and OAuth, used to authenticate third party web applications and desktop applications to use web services like Twitter and Digg are under a risk of a severe security threat. In fact, the security flaw affects a host of other open source authentication services. The matter will be brought up at an upcoming security conference.

open-id-security

The flaw is based on the very controversial timing attack according to which, the attacker checks for the time required to analyze signatures and estimates if the first few characters of his attempted signature is correct or not. This process, if repeated can lead to a successful hack in theory. However, in practice, it is very hard to carry out or, that was the common belief until three years ago.

Three years ago, a timing attack was used to hack into  Xbox and the people who did this became geek gods. However, that was a direct interaction with the host. In case of a network, we need to consider many factors like network load, jitter and a varying latency.

What is remarkable is that Lawson and Nelson have claimed that they have executed this on a network as well as on a cloud and have gained sensitive information successfully. Any further details on this will be revealed at the upcoming BlackHat conference at Las Vegas.

(Source)

  • Share

Related Topics Similar to This Article: »

Recent Activity: »

Read More On: , ,

Author:

Chinmoy Kanjilal is a FOSS enthusiast and evangelist. He is passionate about Android. Security exploits turn him on and he loves to tinker with computer networks. He rants occasionally at Techarraz.com. You can connect with him on Twitter @ckandroid.

Chinmoy Kanjilal has written

The author of this post can be contacted at chinmoy@techie-buzz.com

Comment Using Facebook

One Response to this Article | Share your Opinions/Comments

We moderate comments to prevent spam. Moderation is done within few hours. Please try and stay on topic and refrain from using abusive language. If you think there is a problem with this post, please email the post author or send us an email at tips@techie-buzz.com with the URL and the problem you see and we will rectify it as soon as we can.

  1. Simmeon on November 6th, 2010 at 10:43 am #

    I’m currently using openID, but now i will look for other alternatives.