This is a guest post by Stella Rebecca.
Barracuda labs have found that scammers worldwide have set out an attack against users of OpenID in order to hunt down their user information such as log in details.
Many custom made log in pages are coming in to view, and are being made to look very similar to the sign in pages that are used during the OpenID authentication process, said Chapetti and Michmerhuizen, security researchers from Barracuda The OpenID log in process slightly differs in the manner that users can sign in to one website using their credentials from another website, such as Google, Facebook or Twitter. However what is happening now is that once the user has typed in their user name and password and hit enter the information is forwarded on to phishy website, from where an automated message is sent back to the user confirming their user details and that it has been validated.
According to the researchers’ finding this scam campaign makes use of either of two email messages. One email takes users to a real estate page based in Australia which is of course a compromised site and a trap. On the other hand the user may be given a UPS notification which is again a setup and then directed to a phishing site in the form of a UPS log in page.
In no way does this mean that there is a security laps in the OpenID system itself, as in fact the problem is the users’ unfamiliarity with the process of how their information is exchanged. As users are unable to differentiate between real and phishing sites, this is what scammers capitalize on.
Generally this is how the process takes place. First of all the user who wants to log in to or authenticate to a given website which is using the OpenID protocol is presented with a log in page from the domain of the website which provided the identity. This website id known as the identity provider (IdP), this page is where the person types in their log in details.
However there is a way for users to tell if the log in page is a fraud and that is by checking for a lack of the browser bar. As is stated by some sources, initially OpenID only supported full frame redirection to the IdP in order to make the browser bar clear. Though now even though some IdP’s do support a pop up window none of them should be making use of an iframe.
Furthermore users who have already signed in to their IdP’s domain and are using their account should never be asked to verify or re-enter their user details.
For now IdP’s are trying to train their users to understand how their sites work. For example when they revisit a web page, and they are already logged in, they should see a consent page, and not have to sign back in to their account.
For now the OpenID foundation is coming closer to completing a newer and more powerful OpenID protocol known as the OpenID connect. Together with this they are also working in a user interface which will be standardized for all users know as Account Chooser and will have a uniform log in page for all OpenID users and providers.