LuxSci provides OpenID services for facilitate easy and/or secure access to its WebMail services.
On May 2, a security researcher issued a notice that OpenID and OAuth have vulnerabilities that might allow a malicious website to hijack a response from a social login. Initial investigations from the OpenID Foundation indicate that this is not a new discovery, and that mitigations are clearly outlined in the OAuth Threat Model document. However, it has received coverage in the popular tech press. The threat is that the callback URL or redirect URI is compromised, which could lead to a customer’s data being shared with a malicious website, as well as the user being directed to another website.
In short, LuxSci’s OpenID solution is not vulnerable to this issue and our users are safe to use OpenID with LuxSci.
None of the OpenID providers that we support are vulnerable to this issue (e.g. Google, facebook, twitter, etc.) Facebook and Twitter were both vulnerable several years ago, but Twitter changed their protocol and facebook deprecated their OAuth 1.x support which had the bug. In the newer OpenID 2.0 specification, the language describing how things must work was cleared up to say that validation checks at issue must be performed (version 1.x only said that they were optional). Several other mentions of this issue have appeared in various publications and have confused it with general phishing attacks, which is a real, but different problem.