| Home : October 03 2013 Computer News : Mozilla unmasks security flaw in Persona, warns other OpenID implementers |
|
Mozilla unmasks security flaw in Persona, warns other OpenID implementers |
October 03, 2013
A vulnerability found recently in an OpenID-based feature of the Mozilla Persona online identity management service prompted the company to advise Web developers to check their OpenID implementations for similar issues.Mozilla Persona allows users to verify their ownership of one or more email addresses and then use those addresses to authenticate on websites. Users have to remember only their Persona account password, because once they're logged into the service, authenticating on Persona-enabled websites only takes two mouse clicks.To verify email addresses for use with Persona users typically have to click on a link sent to those addresses, except for Gmail and Yahoo addresses which are verified through what Mozilla calls "Identity Bridging," a feature based on the OpenID authentication protocol.It's in this identity bridge feature that three security researchers from the University of Trier in Germany have recently found a serious vulnerability. The flaw, which was reported through the Mozilla bug bounty program and is now fixed, could have allowed an attacker to authenticate on Persona-enabled websites with the Gmail or Yahoo Mail addresses of other users.To read this article in full or to leave a comment, please click here
Link: http://www.pcworld.com/article/2052120/mozilla-unmasks-security-flaw-in-persona-warns-other-openid-implementers.html#tk.rss_all
|
|
|
|
|
