Cross-Site Request Forgeries
Along the line of Identity 2.0 threats, there are threats such as the cross-site request forgery (CSRF), which is an attack vector that also abuses the browser’s same origin policies, but without the need to inject malicious code within the attacked website context. CSRF attacks perform blind GET or POST requests to resources that are not protected by unique tokens. Since the browser is configured to supply the necessary information, such as browser cookies and other settings to every request, attackers can perform actions on behalf of the user. In this case, if the user is logged into the identity provider and visits a malicious page that executes a CSRF attack that causes a password reset, for example, attackers can hijack the user’s identity again. CSRF attacks can be used on places (apart from the identity provider domain) that are not protected. According to the latest surveys, almost every web application is vulnerable to this type of attack. Identity service providers may as well be.
Even if service providers are protected against XSS, CSRF, and other types of injection/protocol attacks, there will always be the human factor involved in the whole equation. This is where phishing attacks and the ancient password cracking/guessing attacks come into place. Phishing as an industry has developed a lot with the years. Identity management services only encourage it to go even further.
OpenID, for example, is a type of a protocol that redirects visitors to a specific OpenID service provider based on the user identity URL. However, the website that we try to identify with could provide us with a malicious website that imitates to a great extent the way the real identity provider looks like, but most definitely is not. Security-aware users might be able to spot the attack. They may check the URL in the address bar and verify the SSL certificate. However, everybody can make the mistake of typing credentials into something they shouldn’t when they are in a rush. Sometimes, users want to get the things done. If we have the ability to identify ourselves in two simple steps, what would stop us to do that for every service we find online?