Investigation: Google ID login on

    General discussion

  • Below are the labeled traces for analysis:

                  benign trace             scenario (A)             scenario (B)           scenario (C)

    Some basic understandings about the benign trace:

    1. Security is based on the authenticity of elements in BRM3, which contains a signature element "openid.sig".
    2. Smartsheet identifies a user by "" in BRM3, so the key question is whether "" can be overwritten by the attacker.
    3. ( in short) in BRM1 determines what value in BRM3 will return. If is "", then will contain the user's email. If is "", then contains the user's first name.

    Tuesday, January 24, 2012 9:08 PM

All replies

  • "openid.signed[LIST]" in BRM3 is a superset of "openid.ext1.required[LIST]" in BRM1, i.e., "openid.ext1.required[LIST]" is propagated into "openid.signed[LIST]".
    Tuesday, January 24, 2012 11:38 PM