493526 - OpenID sign-in feature in its current form is a privacy hazard

Status: RESOLVED FIXED

(Mozilla Labs :: Identity, defect)

Description

[Wladimir Palant]

Attachment: Proof of concept

When Weave 0.3.2 encounters an OpenID login form it currently fills in user's OpenID, hides it and changes the text of the submit button. The problem with this is that the website can see all these changes. In particular, it can get user's Weave account name from the OpenID without any effort whatsoever - great for identifying/tracking users. See the proof of concept attached, it can get user's Weave name even if the user is logged out of Weave (which is probably a bug).

The obvious solution would be filling in the OpenID data only when the user actually clicks the "Sign in using Weave" button, thus indicating that he wants to submit his identity to the website. The code should be checking event.isTrusted property to verify that this was really the user clicking and not the website generating an event. But even then, it is too easy to trick the user into clicking a button - e.g. by modifying the text of the button or by making it transparent and placing it under user's mouse (remember, this button has been put into the webpage meaning that it can do anything with it). In the end, I don't think any secure solution can be designed with a UI element that is within the webpage's reach. So I would be thinking in the direction of context menus and/or panel elements.

Comment 1

[Dan Mills [:thunder]]

Yes, this is broken in the prototype.  We decided the harm was minimal, since few sites had openid login forms anyway.

Going forward, we should at least only fill in the form after the button is clicked.

I don't think the risk of having the user being tricked to click the button is great, since the potential benefit to the site is fairly small.  The most they could get is your username, so at that point it's probably more convenient to the site to do cookie-based tracking (which will work invisibly without any hacks).

Comment 2

[Wladimir Palant]

(In reply to comment #1)
> I don't think the risk of having the user being tricked to click the button is
> great, since the potential benefit to the site is fairly small.  The most they
> could get is your username, so at that point it's probably more convenient to
> the site to do cookie-based tracking (which will work invisibly without any
> hacks).

Cookies are very limited when it comes to identifying individual users, particularly because privacy-aware users learned to remove them. Here on the other hand you cannot only recognize the same user across multiple computers that he is using, you even get his name.

Note that detecting Weave (and even checking for a particular version) is trivial meaning that the webpage could use these "hacks" specifically with Weave users only.

Comment 3

[Dan Mills [:thunder]]

(In reply to comment #2)

> Cookies are very limited when it comes to identifying individual users,
> particularly because privacy-aware users learned to remove them. Here on the
> other hand you cannot only recognize the same user across multiple computers
> that he is using, you even get his name.

In practice, this is not really true.  Most users are logged into massive ad networks which track you from page to page using cookies.  You are completely correct, however, that the tiny minority that actually bothers to clear (or not use) cookies is much worse off.

In any case, we are in agreement that it's a privacy concern and needs to be addressed.

Comment 4

[Mike Connor [:mconnor]]

Not in Weave Sync (1.0), not blocking 1.0.

Comment 5

[Dan Mills [:thunder]]

We no longer alter content in any way, so this is fixed.