is it possible to hack the header returns from Google/Yahoo! authentication openid request? i mean someone someone uses [email protected] to get authenticated with Google and then changes [email protected] to [email protected] in response from Google and get logged in to site with my account?
+1
A:
No. If it were possible, that'd defeat the point.
The site you're authenticating with talks directly with the authentication provider, and the authentication provider talks with the user. The user can't change what goes to the site, because the auth provider doesn't go through the user to get to the site.
Amber
2010-04-27 09:45:24
i mean with some sniffer softwares and changing TCP packet content.
hd
2010-04-28 17:15:00
That's not how it works.
Amber
2010-04-28 17:44:46
+2
A:
Yes, the authentication payload from the Provider to the Relying Party goes through the user's browser, giving the user the opportunity to inspect and even change what gets forwarded to the relying party web site.
However the payload is signed, so any changes to the signed portion of the message will result in the relying party detecting tampering has taken place and should reject the message.
So in effect, no, you can't hijack someone else's account using this method because of the signature verification process that is a built-in part of OpenID.
Andrew Arnott
2010-04-28 17:56:48