none
Investigation: Google ID login on Smartsheet.com

    General discussion

  • Below are the labeled traces for analysis:

                  benign trace             scenario (A)             scenario (B)           scenario (C)

    Some basic understandings about the benign trace:

    1. Security is based on the authenticity of elements in BRM3, which contains a signature element "openid.sig".
    2. Smartsheet identifies a user by "openid.ext1.value.email" in BRM3, so the key question is whether "openid.ext1.value.email" can be overwritten by the attacker.
    3. openid.ext1.type.email (type.email in short) in BRM1 determines what value value.email in BRM3 will return. If type.email is "http://schema.openid.net/contact/email", then value.email will contain the user's email. If type.email is "http://axschema.org/namePerson/first", then value.email contains the user's first name.












    Tuesday, January 24, 2012 9:08 PM
    Owner

All replies

  • "openid.signed[LIST]" in BRM3 is a superset of "openid.ext1.required[LIST]" in BRM1, i.e., "openid.ext1.required[LIST]" is propagated into "openid.signed[LIST]".
    Tuesday, January 24, 2012 11:38 PM
    Owner