Les nouveautés et Tutoriels de Votre Codeur | SEO | Création de site web | Création de logiciel

Loading...
Seo Master present to you:
By Mayank Upadhyay, Google Security Team

A group of security researchers recently identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX) that could cause an authentication bypass vulnerability. Google is a strong supporter of federated login on the web and would like to help spread awareness of this issue to websites that are OpenID relying parties in order to protect the users of those websites. This issue primarily impacts websites that act as relying parties using the OpenID4Java library.

The researchers determined that the affected sites were not confirming that certain information passed through AX was properly signed. If the site was only using AX to receive information like the user’s self-asserted gender, then this issue would be minor. However, if it was being used to receive security-sensitive information that only the identity provider should assert, then the consequences could be worse.

A specific scenario identified involves a website that accepts an unsigned AX attribute for email address, and then logs the user in to a local account on that website associated with the email address. When a website asks Google’s OpenID provider (IDP) for someone’s email address, we always sign it in a way that cannot be replaced by an attacker. However, many websites do not ask for email addresses for privacy reasons among others, and so it is a perfectly legitimate response for the IDP to not include this attribute by default. An attacker could forge an OpenID request that doesn’t ask for the user’s email address, and then insert an unsigned email address into the IDPs response. If the attacker relays this response to a website that doesn’t notice that this attribute is unsigned, the website may be tricked into logging the attacker in to any local account.

The researchers contacted the primary websites they identified with this vulnerability, and those sites have already deployed a fix. Similarly, Google and other OpenID Foundation members have worked to identify many other websites that were impacted and have helped them deploy a fix. There are no known cases of this attack being exploited at this point in time.

A detailed explanation of the use of claimed IDs and email addresses can be found in Google’s OpenID best practices.

Google would like to thank security researchers Rui Wang, Shuo Chen and XiaoFeng Wang for reporting their findings. The OpenID Foundation has also done a similar blog post on the issue.

Action Required:
  1. If you are an OpenID relying party, then you should read the Suggested Fix section below to see if this vulnerability might apply to you, and what to do about it.
  2. If you are an application developer that uses OpenID relying party services from someone else, like your container provider or some network intermediary, please read the Suggested Fix section to see if your service is listed there. Otherwise, you should check with that entity to make sure they are not susceptible to this issue.

Suggested Fix:

As a first step, we recommend modifying vulnerable relying parties to accept AX attribute values only when signed, irrespective of how those attributes might get used.

During our investigation we confirmed that apps using the OpenID4Java library, with or without the Step2 wrapper, are prone to accepting unsigned AX attributes. OpenID4Java has been patched with the fix in version 0.9.6.662 (19th April, 2011).

Kay Framework was known to be vulnerable and has since been patched. Users should upgrade to version 1.0.2 or later. Note that Google App Engine developers that use its built-in OpenID support do not need to do anything.

Other libraries may have the same issue, although we do not believe that the default usage of OpenID services and libraries from Janrain, Ping Identity and DotNetOpenAuth are susceptible to this attack. However, the defaults may be overridden and you should double check your code for that.

We also suggest reviewing your usage of email addresses retrieved via OpenID to ensure that adequate safeguards are in place. A detailed explanation of the use of claimed IDs and email addresses can be found in our OpenID best practices published for Apps Marketplace developers that also apply to relying parties in general.


Mayank Upadhyay works on authentication and identity problems on the Google Security Team.
His previous experience includes similar work at Sun Microsystems and various companies in the WiFi security space.

Posted by Scott Knaster, Editor
2013, By: Seo Master

seo Security advisory to websites using OpenID Attribute Exchange 2013

Seo Master present to you:
Aplikasi Belajar Online - Dalam hal belajar mengajar, pastinya dijaman modern dan digital ini sudah tentu pembelajaran harus diubah sistemnya, dari cara manual menuju ke cara digital. Lantas apa fungsi dari belajar yang serba digital, salah satunya adalah efektifitas, kecepatan dan ketepatan dalam belajar.

Belajar dengan menggunakan aplikasi belajar bisa membantu Anda untuk meningkatkan pengetahuan, apalagi yang paling penting bisa belajar tanpa harus berada diruang tertentu, bisa belajar tanpa batas dan waktu yang tak terbatas.

Salah satu cara untuk belajar digital harus menggunakan aplikasi belajar online, baik melalui handphone ataupun melalui laptop. Aplikasi belajar online yang menyenangkan tersebut bisa didownload di Aplikasi Belajar.

Aplikasi Belajar Online

Disana banyak sekali aplikasi penunjang belajar online yang bisa mempermudah belajar Anda atau bahkan mempermudah Anda untuk mengajar, semua kalangan bisa mendownload aplikasi ini dan mengaplikasikannya, sehingga belajar tidak terbatas oleh ruang dan waktu, melainkan bisa dimana saja, baik sambil bermain, berlibur dan dalam perjalanan.

Segera download aplikasi belajar online yang sangat bagus di beberapa situs dibawah ini:

2013, By: Seo Master

seo Aplikasi Belajar Online 2013

Seo Master present to you: This simple trick will help you to modify the avatars size in Blogger comments. For changing the style and size of avatars, we have to add some CSS codes in our Blogger template. So, let's begin:


Step 1.

Go to Dashboard - Template - click on the Edit HTML button - Proceed


...now select Expand Widget Template (I recommend to make a backup first)

    Step 2. Find (CTRL + F) this code in your template:

    ]]></b:skin>

    Step 3. Copy and paste one of the following codes just above it:

    [Works in Blogger threaded comment system]

    .comments .avatar-image-container{
    background-color: rgb(34, 34, 34);
    border:1px solid #ccc;
    margin: 0px 10px 0px 0px;
    padding: 0px 0px 0px 0px;
    width: 64px;
    max-height: 64px;
    }
    .comments .avatar-image-container img{
    margin: 0px 0px 0px 0px;
    padding: 0px 0px 0px 0px;
    max-width: 64px;
    height: 64px;
    }

    [for old blogger commenting system]

    .avatar-image-container{
    border:1px solid #d6d6d6;
    margin-left: -30px;
    -moz-border-radius: 4px;
    background:#fff;
    height:70px;
    min-height: 70px;
    width:70px;
    min-width:70px;
    }
    .avatar-image-container img {
    background: url(http://www.matrixar.com/-gcjQ0sgWw7M/T6WpkK4S5AI/AAAAAAAACEQ/hYAWpCPl6P0/s200/anonymous.jpg);
    background-repeat: no-repeat;
    background-position: center;
    background-size: 100%;
    width:70px;
    min-width:70px;
    height:70px;
    min-height:70px;
    }

    Note: If you want bigger/smaller avatars, change the values in red. To change the anonymous avatar, replace the URL address in blue with your own. (works only for previous commenting system)

    Step 4. Save the Template.

    Now view your blog to see the results. Hope you enjoy!


    2013, By: Seo Master

    seo How To Change Avatar Size In Blogger Comments 2013

    Powered by Blogger.
    Design by Dev Nasser