Skip to content

OpenIDs at LiveJournal leaking auth info

Joseph Petviashvili (krotty), creator of the Skype-based Bitchun Society, writes today about his detection that LiveJournal is leaking his auth info via the check_immediate feature in OpenID. I haven’t seen any other discussion of this. Can anyone confirm?

open id from livejournal is not safe

If you are logged in to livejournal, that information can be shared with third parties without your consent through OpenID. Right now livejournal.ru and kommersant.ru are doing it.

Have not found a way to disable it, they are using http://www.livejournal.com/openid/server.bml?openid.mode=checkid_immediate and livejournal is giving out my auth info without asking…

Tags: - -

View blog reactions

{ 5 } Comments

  1. Tara Kelly | May 24, 2007 at 12:09 pm | Permalink

    I have no idea if this rumor is true or not.

    Nonetheless – and I may be generalizing too much so someone flame me if I’m out of bounds – I would tend to think it’s better to choose a *dedicated* OpenID provider than to just trust your blogging platform.

    Why? Because blogging platforms are specialized in blogs, whereas dedicated OpenID services are specialized in OpenID. There’s a big difference there.

    Just my 2c.
    Cheers,
    Tara

  2. Simon Spero | May 24, 2007 at 12:34 pm | Permalink

    check_immediate should fail if the RP has not previously been approved. I haven’t checked to see if this isn’t being done, but LJ does check authorization if checkid_setup is used.

    The list of sites pre-authorized to check credentials can be edited at http://www.livejournal.com/openid/options.bml

  3. joe | May 25, 2007 at 12:18 pm | Permalink

    Simon, thanks for the link to the preapproved web sites, kommersant.ru and livejournal.ru are not on the list. The whole thing is a side effect of SUP.com / LiveJournal deal, where the rights to service russian part of livejournal were given to a russian company. If you have livejournal account, sign into it and go to livejournal.ru and you will see your name in the top right corner. kommersant.ru has a deal with SUP / livejournal.ru to render comments.

    That means that even when you are not in russia you can be tracked by a moscow based company as you visit sites they have a deal with.

  4. Terrell Russell | May 25, 2007 at 12:27 pm | Permalink

    So, Joe, this is to say that this isn’t as much a leak in OpenID or LiveJournal’s implementation of it – but rather, a business deal with ramifications.

  5. joe | May 25, 2007 at 2:45 pm | Permalink

    SUP has a deal with livejournal, kommersant has a deal with SUP, but the end result is that my info is leaked without my authorization both to SUP and kommersant. What prevents kommersant from having a deal with some other company and leaking it even further?