Last Thursday the OpenID foundation announced a serious weakness in the Attribute Exchange extension to OpenID which permits sites to exchange information between endpoints. Essentially, it is possible to pass information through Attribute Exchange unsigned, which could potentially permit an attacker to modify the information.

 

There are no known exploits at this time, and the major sites that use OpenID have been contacted and have deployed a fix. For the rest of you who have applications using OpenID the recommendation is to update the OpenID4Java library to 0.9.6 final.

 

Futher details are available at the Threatpost blog and the Ping Talk Blog.