The leader of an open source authentication project warned developers last week of flawed sample code that if added into a Web site would open a “serious vulnerability” in implementations of OpenID authentication.
The flaw has since been fixed in the code, but the rub is that the fix must be applied manually because the sample code likely was cut and pasted into Web sites. A patch or update, therefore, is not an option.
The code was produced by the DotNetOpenAuth project, which counts Microsoft as a participant. The project provides an open source library that brings OpenID, OAuth, and ICard capabilities to the Microsoft .NET Framework.
The flawed sample, however, is not contained in any Microsoft products even though the software giant ships DotNetOpenAuth as part of Visual Studio 2012 and its ASP.Net MVC (Model-View-Controller) templates.
Andrew Arnott, a freelance developer in charge of the project, said the flaw appears to have been around since Oct. 2010 in sample code for building an OpenID Provider (OpenIdProviderMVC).
“Each OpenID Provider MVC web site needs to review their code to see if they copied the bug and then fix it manually,” said Arnott. “It's a good bet that some folks simply copied the OpenID Provider sample to deploy on their own web site, but I am not aware of any specific case where this has happened,” he said.
The flawed code sample works with both OpenID 1.1 and 2.0.
Arnott said that he stresses to developers the challenges of building an OpenID Provider and encourages thorough QA. “So hopefully everyone has done due diligence and hasn’t copied the bug in the sample over to their deployed web app,” he said. But plenty of people are known to copy sample code right into their shipping applications, he noted.
The sample code flaw allows an attacker to authenticate at a relying party web site and eventually gain control in another user’s account. In an OpenID authentication flow, the relying party is the site where the user logs-in with their credentials supplied by an identity provider (IdP). The relying party “relies” on the IdP to supply an assertion that the user is who they say they are.
By exploiting the flaw, an attacker could log-in at the relying party and gain control of the account of another user who is registered with the same IdP.
The sample code neglected to include the command that would require the IdP to ensure that it only approves identities that the currently logged-in user controls.
So if Bob and Sally are both registered users at the same IdP, Bob could potentially sign in as Sally from any relying party site connected to that IdP.
Arnott says he hasn’t yet gone through the version control history, but his guess is the error was in the first ever ASP.Net MVC OpenID Provider sample. DotNetOpenAuth has supported ASP.Net MVC since version 1.0.
Microsoft’s Model-View-Controller (MVC) architectural pattern separates an application into those three components. The ASP.NET MVC framework in an alternative to the ASP.NET Web Forms pattern for creating MVC-based Web applications.