pdp over at GNUCITIZEN claims to have found a vulnerability in some common OpenID libraries. And I really tried hard to understand what he means and how it is related to the title of the article. In the end, I got the impression that he simply explains in a lengthy way that anybody could run an OpenID server and use it to log into OpenID-enabled services without having to register. Now isn’t this the whole purpose of OpenID?
Apparently, I wasn’t the only one who got this impression — while the first commenter totally misinterpreted the article (which wasn’t hard), the second comment was already: “Isn’t this by design?” And pdp answered confirming that my interpretation of his article was correct, the point being really about authentication with OpenID being easier than registration (no captcha and the like). So why didn’t he just tell that, in one simple sentence rather than 7 (seven!) paragraphs of text? Why talk about CSRF, OpenID libraries or hijacking when apparently none of them have anything to do with the issue? Why providing a meaningless piece of code only to obfuscate the meaning even further?
I am very disappointed having wasted too much time on this article. While GNUCITIZEN occasionally comes up with interesting findings, this kind of “we have nothing to tell but let’s make an article out of it and give it some unrelated but catchy title” is happening way too often. On several occasions valid behavior has been misinterpreted as a security vulnerability or analysis of a security vulnerability has been incorrect (e.g. something has been called XSS despite only one domain being involved). Time for me to stop reading it again. Is there anybody else worth reading on the topic of web application security? Apart of ha.ckers of course.
Update: Apparently, there actually was some deeper meaning to that article — and a valid point. See pdp’s comment below for details.