Jeff’s OpenID account gets hacked

No, not me (at least not me so far as I know). The Jeff in question is Jeff Atwood of the Coding Horror blog (one of my favorite dev blogs). Jeff relates how his OpenID account was hacked here and here. It’s fascinating reading, especially because the hacker was of the friendly sort who apparently just did it to point the vulnerability.

The hacker was able to obtain the unsalted hash of Jeff’s password on a different site. He then looked up that password using one of the reverse hash web sites available. He then guessed Jeff’s OpenID provider and tried the password there. Since Jeff had used the same password in both places, the hacker was able to log into OpenID and impersonate Jeff at Jeff’s StackOverflow web site, which depends on OpenID.

Here is an interesting question: is it dangerous to reveal your preferred choice of OpenID providers? I suspect there is nothing dangerous about, given peoples propensity to flock to one of the big players anyway. Even if there are a plethora of OPs, the bad guys will just script a solution that tries a list known OPs until a hit is made.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s