Scott Kveton

We here at JanRain pride ourselves on our responsiveness to the community and our customers. We strongly believe in OpenID as a platform and put our money where our mouth is by having a highly robust and secure identity provider. From time to time we get messages from users who believe they have found a security vulnerability in our libraries or MyOpenID server. We take these reports serviously and when there is a problem we patch things very quickly and release an update. We’ve done this with our libraries as well as MyOpenID. We have had people make claims about our security before and we have had to refute them. This is just part of participating in an open community.

On Friday 11/24/2006 at 11:28 AM PST we received an email from Dmitry Shechtman that stated the following:

Hello,

I think I just found a big hole in your site’s security.

I successfully signed up for an existing account with a different email address.

Regards,

Dmitry

Dmitry is the author of the phpBB OpenID plugin that we’ve all been looking forward to seeing. I’m really excited about this plugin as I believe forum adoption will be critical to the success of OpenID. Dmitry has been using MyOpenID.com as a test server while he works on implementing the plugin. The message was received and was immediately put in our support queue. By 3pm I got a note from one of my engineers who had looked at the problem saying:

If you signup for an account and you use the same password as an account
that already exists, it effectively works like confirming a change of email
address. I’m guessing this is what happened with this guy. I tried signing up
for an account I already have, and it only works if I enter the same password
that is already set for the account.

You can actually still see this behavior on the MyOpenID.com site right now. If you go to the new account registration screen and enter in the username and password of an existing account (you have to know both of them) and then enter an email address in, a mail will go out for that MyOpenID account even if the email is different from the original email used to create the account. This is effectively like changing your email address. The functionality is flawed in that its confusing. We’ll be fixing this in the next couple of days. However, you still have to know the username and password of the account to make it work. If someone has that, the account is already compromised.

Since we determined that is was not a security vulnerability but really a usability problem, we waited until Saturday to reply to Dmitry. I did my best to respond to the public claims made by Dmitry on Saturday but he was not convinced. He disabled access to the test.phpbb.cc site for any MyOpenID accounts and continued to state that there was a security vulnerability.

I chatted with him via IM today and tried to talk through the issues that he saw and hopefully have him post a retraction about the MyOpenID service. His concern was that we could have easily changed the behavior of the site to solve this problem over the weekend and he would never know. Drilling down further, he actually said that he hadn’t looked all that hard at the problem on Friday. This puts the burden of proof on us to show that we haven’t “secretly” changed the sites behavior over the weekend to avoid an embarrassing announcement. If we screw up, we’re at fault and we’ll take any and all actions necessary to fix the problem as well as admit to the mistakes we might have made. That’s our duty in providing identities for end-users and something we believe very strongly in.

Just for the record; we have not made any changes to the MyOpenID service since Thursday afternoon and we have done nothing to try to cover up this claimed security vulnerability. Go try it out for yourself; the behavior is still there today.

Update: I fixed the link to the phpBB OpenID plugin site.

Update v2.0: Fixed some links that broke when Dmitry moved some things around on the forum links above.