Barracuda Labs recently reported that some phishing websites have initiated a campaign to steal user passwords and login information via a login page that looks similar to OpenID in hopes of logging into user social media accounts. Facebook, Twitter, Google, and Yahoo accounts are most in danger.
Security researchers from Barracuda, Dave Michmerhuizen and Luis Chapetti recently told John Fontana from ZDNet that they discovered “login” pages on various websites that look similar to the authentication pages from OpenID. Unsuspecting users type in the information where that data is then collected by the scammer. A validation message is then sent to the user which makes them think they registered properly.
It’s important to note that this isn’t a loophole in OpenID, it’s an actual scam where they use pages that looks similar to OpenID pages.
So how can you differentiate between the scam and the real deal? Check to see if the page has a browser bar, if it doesn’t, don’t log in.
According to the treasurer of OpenID, John Bradley, “OpenID originally only supported full-frame redirection to the IdP to try and make the browser bar clear.” He further elaborated that although some IdPs support pop-up windows with a browsing bar, it shouldn’t support iFrames. Furthermore, if a user previously signed up with the OpenID, they shouldn’t be prompted to fill in their credentials again.
Good news for OpenID users, the foundation is close to releasing a new version title OpenID Connect which will allow users to type in there credentials via a uniform login page. They also warn users to remain observant before logging into the idP servers of any page.
The whole purpose behind OpenId is to make it easier for people to login to websites without having to create another account. Many popular websites offer it as an alternative to traditional signups including Yahoo, AOL, Facebook, WordPress, SixApart, MySpace, and Google.