Update on OpenID and OAuth Security

Update: In our ongoing effort to support the OpenID standard and ensure its widespread use and adoption through the web, Janrain has patched the PHP, Ruby and Python open source OpenID libraries. Janrain Engage and Janrain Federate have also been updated to eliminate any non-constant time comparisons. These patches were developed and applied in response to the proposed timing attack vulnerabilities. Although no successful security breaches have been reported, the code changes made in these libraries will prevent any future attempts using this particular attack vector.  Janrain is happy to provide this support back to the open source community for its continued success and prosperity.

A few posts and online articles were published late last week about a potential “timing attack” security issue with OpenID and OAuth. We’d like to provide a quick communication update.

The reported issue is not a flaw in OpenID or OAuth at a protocol level, but rather the manner that some of the libraries have been implemented. After evaluating the hypothetical attack scenarios in the past week,  we have deemed the probability of a viable exploit to be very low, to non existent.  In communications with our partners and peers in the community, they have reached the same conclusion.

Nonetheless, it seems prudent to remove this as a potential vector. We will be updating the Janrain Engage and Federate production versions this week to eliminate any non-constant time comparisons. Our customers and end-users will not need to do anything additional, the upgraded service will function with complete compatibility.

In addition to further auditing our Janrain Engage and Janrain Federate product offerings, we will be patching the open source python and ruby libraries that we have contributed to in the past.

We hope that this communication addresses any security concerns you might have had as well as answers any questions about Janrain’s commitment to your application security. Rest assured that we are diligently monitoring any possible security issues and aggressively responding as necessary.
Larry Drebes