Clickjacking and CSRF attacking OpenID

From IIW

Convener: Andy Dale (=Andy)


  • Steve Williams,
  • Jeff Hodges,
  • Larry Cymkin,
  • Joe Steele
  • Jon Nichols
  • Paul Bryan
  • Scott Bloomquis

Technology Discussed/Considered: Open ID, InfoCard (briefly) Discussion notes:

Overview of CSRF & clickjacking - Clickjacking can get around CSRF nonce protections

With OpenID - this becomes much worse

  • redirect to target site via CSRF
  • use click-jacking to have user OK on their OP site?


  • Use frame-busting code
  • Don't let GET change stuff
    • POST is still vulnerable -- but can't do that from image tag
  • Use nonces for forms (for CSRF -- Steve Williams @ Digg mentioned)
    • can do this for OP login request also (allowed by OpenID)
    • reverify at the RP before accepting auth
  • Partition session cookies by process
  • Show a dialog?
  • Show an entry page always?
  • Use HTTPS -- then Referrer header can be trusted
  • Can education fix this?

Q: Does clicking on an IFrame transmit click to frames beneath?

  • transparent, low opacity iframes make this question moot
  • Transparent SSO is the issue -- global OP cookie is an example of this
  • The real fix is intelligent clients --- maybe a better browser?
  • If everything at RP is fixed -- you are ok
    • no XSS vulns
    • nonces for requests
    • frame-busting code
    • limited cross-domain policy
  • Mention "important security code uses Javascript" to get user to turn it on
    • supposed to mitigate vulnerabilities
    • could expose more vulnerabilities

Q: Why does browser not prevent clicking when opacity drops below some level?

  • what is that level?
  • what about "look alike" sites which are not opaque?

Q: What about InfoCard?

  • Charles Andres showed a UI-less clickin for InfoCard
  • Exposes same vulnerability?