Skip to main content
GDPR Kit CIAM Buyer's Guide Contact Us
Janrain respects your privacy and will treat the personal data you choose to share with us in accordance with our privacy statement.

We use cookies to give you the best online experience. By using our website you agree to our use of cookies in accordance with our privacy statement


Mobile Menu

MyOpenID Security Fix

By Janrain Team | Posted on March 22, 2007

eYesterday, Gareth Heyes alerted us to a vulnerability in’s OpenID approval. Luckily, Gareth was one of the good guys and helped us to reproduce the problem, so that we could put out a fix within hours. It’s also fortunate that the vulnerability did not apply to the majority of’s users.

Who was exposed, and how?

If you are not a Safari user, you were not exposed to the vulnerability. In the past month, 3 % of requests to came from browsers that identified themselves as Safari, so that means the vast majority of our users were not exposed. The vulnerability has been fixed, so no users are currently exposed to it.

The exploit allowed an attacker to sign a user into any OpenID consumer. Essentially, this attack exposed personal information (a confirmation that the user control a given URL and any information that’s in their default persona ) to a third party site, without the user’s approval.

The attacker could also add the site to the user’s trusted sites list, so that further authentication requests would succeed without interaction if the user is signed in to

The attacker was not be able to steal the user’s credentials (password ), nor were they be able to sign in to a site as that user.

How can I tell if I have been exposed?

There are no known cases of malicious exploitation of this vulnerability in the wild. If you are a Safari user and a user, you can check your trusted sites list to see if there are any sites present that you did not authorize. You can get to your trusted sites list by signing in to by visiting your Settings page and clicking on the "Sites" tab.

How did it work?

Right now, Gareth is working with other OpenID providers to ensure that they are not vulnerable to similar attacks. We will make a later post about the technical details once those discussions are complete.

We take security seriously, and we welcome reports of potential security problems. Your feedback helps us make the best OpenID provider.

Popular Posts

About the author