can the response from Google/Yahoo! be changed in openID process?
https://stackoverflow.com/questions/2720121
-
01-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
is it possible to hack the header returns from Google/Yahoo! authentication openid request? i mean someone someone uses him@gmail.com to get authenticated with Google and then changes him@gmail.com to me@gmail.com in response from Google and get logged in to site with my account?
Solution
Yes, the authentication payload from the Provider to the Relying Party goes through the user's browser, giving the user the opportunity to inspect and even change what gets forwarded to the relying party web site.
However the payload is signed, so any changes to the signed portion of the message will result in the relying party detecting tampering has taken place and should reject the message.
So in effect, no, you can't hijack someone else's account using this method because of the signature verification process that is a built-in part of OpenID.
OTHER TIPS
No. If it were possible, that'd defeat the point.
The site you're authenticating with talks directly with the authentication provider, and the authentication provider talks with the user. The user can't change what goes to the site, because the auth provider doesn't go through the user to get to the site.
