Investigation: Google ID login on Smartsheet.com RRS feed

  • General discussion

  • Below are the labeled traces for analysis:

                  benign trace             scenario (A)             scenario (B)           scenario (C)

    Some basic understandings about the benign trace:

    1. Security is based on the authenticity of elements in BRM3, which contains a signature element "openid.sig".
    2. Smartsheet identifies a user by "openid.ext1.value.email" in BRM3, so the key question is whether "openid.ext1.value.email" can be overwritten by the attacker.
    3. openid.ext1.type.email (type.email in short) in BRM1 determines what value value.email in BRM3 will return. If type.email is "http://schema.openid.net/contact/email", then value.email will contain the user's email. If type.email is "http://axschema.org/namePerson/first", then value.email contains the user's first name.

    • Edited by Rui Wang ISRC Tuesday, February 7, 2012 5:56 PM edit
    • Edited by cs0317 Friday, March 30, 2012 5:56 PM ....
    Tuesday, January 24, 2012 9:08 PM

All replies

  • "openid.signed[LIST]" in BRM3 is a superset of "openid.ext1.required[LIST]" in BRM1, i.e., "openid.ext1.required[LIST]" is propagated into "openid.signed[LIST]".
    Tuesday, January 24, 2012 11:38 PM