According to Nate Lawson and Taylor Nelson from Root Labs, OpenID and OAuth, used to authenticate third party web applications and desktop applications to use web services like Twitter and Digg are under a risk of a severe security threat. In fact, the security flaw affects a host of other open source authentication services. The matter will be brought up at an upcoming security conference.
The flaw is based on the very controversial timing attack according to which, the attacker checks for the time required to analyze signatures and estimates if the first few characters of his attempted signature is correct or not. This process, if repeated can lead to a successful hack in theory. However, in practice, it is very hard to carry out or, that was the common belief until three years ago.
Three years ago, a timing attack was used to hack into Xbox and the people who did this became geek gods. However, that was a direct interaction with the host. In case of a network, we need to consider many factors like network load, jitter and a varying latency.
What is remarkable is that Lawson and Nelson have claimed that they have executed this on a network as well as on a cloud and have gained sensitive information successfully. Any further details on this will be revealed at the upcoming BlackHat conference at Las Vegas.