Skip to main content
IAM vs. CIAM CIAM Buyer's Guide Contact Us
Janrain respects your privacy and will treat the personal data you choose to share with us in accordance with our privacy policy.

Update on OpenID and OAuth Security

By Michael Olson | Posted on July 18, 2010

Blog Banner

Update: In our ongoing effort to support the OpenID standard and ensure its widespread use and adoption through the web, Janrain has patched the PHP, Ruby and Python open source OpenID libraries. Janrain Engage and Janrain Federate have also been updated to eliminate any non-constant time comparisons. These patches were developed and applied in response to the proposed timing attack vulnerabilities. Although no successful security breaches have been reported, the code changes made in these libraries will prevent any future attempts using this particular attack vector. Janrain is happy to provide this support back to the open source community for its continued success and prosperity.

A few posts and online articles were published late last week about a potential “timing attack” security issue with OpenID and OAuth. We’d like to provide a quick communication update.

The reported issue is not a flaw in OpenID or OAuth at a protocol level, but rather the manner that some of the libraries have been implemented. After evaluating the hypothetical attack scenarios in the past week, we have deemed the probability of a viable exploit to be very low, to non existent. In communications with our partners and peers in the community, they have reached the same conclusion.

Nonetheless, it seems prudent to remove this as a potential vector. We will be updating the Janrain Engage and Federate production versions this week to eliminate any non-constant time comparisons. Our customers and end-users will not need to do anything additional, the upgraded service will function with complete compatibility.

In addition to further auditing our Janrain Engage and Janrain Federate product offerings, we will be patching the open source python and ruby libraries that we have contributed to in the past.

We hope that this communication addresses any security concerns you might have had as well as answers any questions about Janrain’s commitment to your application security. Rest assured that we are diligently monitoring any possible security issues and aggressively responding as necessary.


Larry Drebes

Popular Posts

About the author

Michael Olson

Michael Olson

Senior Product Marketing Manager

Michael Olson joined Janrain more than five and a half years ago and has experienced the explosive growth of the digital marketing technology landscape. Previously, he managed demand generation programs at Janrain. Currently, as the Senior Product Marketing Manager, Michael drives go-to-market strategy for product launches as well as positioning and messaging to communicate the value of customer profile management solutions to companies. Michael's writing has been featured in publications such as GigaOM, Adotas and iMedia Connection.

View all posts by Michael Olson