OAuth and OpenID: Serious Security Flaw Discovered

According to Nate Lawson and Taylor Nelson from Root Labs, OpenID and OAuth, used to authenticate third party web applications and desktop applications to use web services like Twitter and Digg are under a risk of a severe security threat. In fact, the security flaw affects a host of other open source authentication services. The matter will be brought up at an upcoming security conference.


The flaw is based on the very controversial timing attack according to which, the attacker checks for the time required to analyze signatures and estimates if the first few characters of his attempted signature is correct or not. This process, if repeated can lead to a successful hack in theory. However, in practice, it is very hard to carry out or, that was the common belief until three years ago.

Three years ago, a timing attack was used to hack into  Xbox and the people who did this became geek gods. However, that was a direct interaction with the host. In case of a network, we need to consider many factors like network load, jitter and a varying latency.

What is remarkable is that Lawson and Nelson have claimed that they have executed this on a network as well as on a cloud and have gained sensitive information successfully. Any further details on this will be revealed at the upcoming BlackHat conference at Las Vegas.


Published by

Chinmoy Kanjilal

Chinmoy Kanjilal is a FOSS enthusiast and evangelist. He is passionate about Android. Security exploits turn him on and he loves to tinker with computer networks. You can connect with him on Twitter @ckandroid.