MyOpenID Security Features Released

Things have been busy here at the JanRain World Headquarters but I’m excited to share some new features that we’ve recently launched.

Our latest release has re-organized some of the ways that dialogs are presented. Most notably, we’ve broken out the security features into their own pane to help lower confusion for users and make it easier to navigate managing your MyOpenID account. We have two new features (and one update) to talk about:

• Secure bookmarklet: Under the “Security” settings panel you’ll find a link that says “special MyOpenID login” that is a bookmarklet that you can drag (yes, in your browser) to your bookmark toolbar. Once there, you can use that link (especially in conjunction with the Safe SignIn feature) to quickly navigate to the correct login screen where you can be safe in entering your credentials.
• Frame busting code: I was at Yahoo! a couple of weeks ago giving a TechTalk (note: this isn’t an endorsement by Yahoo! of OpenID, they have people come in and talk about all kinds of technologies that they may/may not ever deploy) and Rasmus asked “do you have frame busting code on MyOpenID?” The answer then was ‘no’, today it is ‘yes’. There is an attack that will allow sites to capture your keystrokes (say from your password entry) in a hidden IFRAME. We now have the code in place to prevent this attack. Thanks Rasmus.
• Safe SignIn updated: We also updated the Safe SignIn feature to allow you to continue the specific action you’re working on. With Safe SignIn enabled you’re asked to manually navigate to MyOpenID to login with your username and password if being redirected from an OpenID enabled site. With the secure bookmarklet from above you can open a new tab, click that bookmark, enter your credentials and then return to the previous tab to continue the login action you’re working on. The goal is to help make sure that you’re not entering your password into a site that might be trying to phish your credentials.

We also were notified of a security vulnerability that affected users of the Safari web-browser that was brought to your attention by Gareth Heyes. This was patched last week. Thanks for the heads-up Gareth!

The biggest concern we have with OpenID today is that of phishing. We’ll be releasing some new functionality in the coming weeks that should hopefully address that problem once and for all. Keep an eye out here for more information! In the mean time, thanks for helping make MyOpenID the premier OpenID provider.

~Scott Kveton

MyOpenID Security Fix

eYesterday, Gareth Heyes alerted us to a vulnerability in MyOpenID.com’s OpenID approval. Luckily, Gareth was one of the good guys and helped us to reproduce the problem, so that we could put out a fix within hours. It’s also fortunate that the vulnerability did not apply to the majority of MyOpenID.com’s users.

Who was exposed, and how?

If you are not a Safari user, you were not exposed to the vulnerability. In the past month, 3% of requests to MyOpenID.com came from browsers that identified themselves as Safari, so that means the vast majority of our users were not exposed. The vulnerability has been fixed, so no users are currently exposed to it.

The exploit allowed an attacker to sign a MyOpenID.com user into any OpenID consumer. Essentially, this attack exposed personal information (a confirmation that the user control a given MyOpenID.com URL and any information that’s in their default MyOpenID.com persona) to a third party site, without the user’s approval.

The attacker could also add the site to the user’s MyOpenID.com trusted sites list, so that further authentication requests would succeed without interaction if the user is signed in to MyOpenID.com.

The attacker was not be able to steal the user’s credentials (password), nor were they be able to sign in to a site as that user.

How can I tell if I have been exposed?

There are no known cases of malicious exploitation of this vulnerability in the wild. If you are a Safari user and a MyOpenID.com user, you can check your trusted sites list to see if there are any sites present that you did not authorize. You can get to your trusted sites list by signing in to MyOpenID.com by visiting your MyOpenID.com Settings page and clicking on the Sites tab.

How did it work?

Right now, Gareth is working with other OpenID providers to ensure that they are not vulnerable to similar attacks. We will make a later post about the technical details once those discussions are complete.

We take security seriously, and we welcome reports of potential security problems. Your feedback helps us make MyOpenID.com the best OpenID provider.

~Josh Hoyt

Looking for translations for MyOpenID

We’ve had several people approach us already (and you’ll all be hearing from us soon enough) about having localized versions of MyOpenID. We’re happy to let people know we’re close! What do we need? Translations.

If you’re interested in joining the effort and bringing MyOpenID to your native tongue, we’d love to have your help. Please see the localization mailing list to learn more and get updates on our progress. A website with more information will be coming on-line soon.

~Scott Kveton

MyOpenID Upgrade Announcement

This is a notice that MyOpenID will be having a maintenance outage starting at 10:00 PM PST on 2007/03/08. The outage may last as long as 30 minutes, but is expected to be considerably shorter.

The reason for this outage is:

Network maintenance

During the outage, the MyOpenID website may be unavailable or unresponsive, and users will be unable log into OpenID-enabled
websites using their MyOpenID accounts. The latest information about this and other MyOpenID events can always be found on http://janrain.com/blog/

We apologize for the inconvenience. If you have any questions, please contact us at support@myopenid.com.

~Mike Glover

Schtuff Acquired by PBwiki

PBwiki, the world’s largest wiki hosting provider, today announced it is acquiring Schtuff, a popular wiki host. Schtuff is built by JanRain, a technology company based in Portland, Oregon. This acquisition follows several recent announcements by PBwiki including a partnership with 30 Boxes, a fundraising round by Mohr Davidow Ventures announced last week, and record growth.

Wikis, such as the popular online encyclopedia Wikipedia, are increasingly popular with consumers for collaborative projects like online classrooms, hobby groups, and business projects. PBwiki, which hosts well over 150,000 wikis and millions of visitors per month, hosts wikis in three popular categories: education, business, and consumer. These categories are a natural fit for Schtuff’s wikis, which include millions of hits and hundreds of thousands of pages of user-generated content. Schtuff is owned by parent company JanRain.

“We’re thrilled to have Schtuff join the PBwiki family,” said Ramit Sethi, co-founder and VP of Marketing for PBwiki. “A community of a million users joins PBwiki today.”

JanRain announced the sale to focus on its core of identity services. “We’re excited about this deal because we wanted to focus on our core of identity services around OpenID while still taking care of the Schtuff community,” said Scott Kveton, CEO of JanRain. “PBwiki has the best community and the best people, hands down. They were the obvious choice.” As part of the acquisition, PBwiki announced that it would support OpenID in an upcoming release.

Terms of the deal were undisclosed, but funds for the acquisition came from recent PBwiki revenue. The acquisition was announced on March 2, 2007.

~Scott Kveton

Schtuff acquisition: What does this mean for you?

Its official, we have just announced that Schtuff has been acquired by PBwiki. We’ll be migrating your wikis over there 3 weeks from today, and we wanted to let you know why and what we’re doing. What does that mean for you?

First off, we want to take the chance to thank all of the loyal users of Schtuff. Its been amazing to help build this platform and watch a user community grow around this site. Thank you.

How will this affect you? First of all, your data will be safe and available to you. That won’t change.

Why are we joining the PBwiki team? Well, we’ve been focusing on developing OpenID and we have some exciting news coming out soon. While we wanted to continue paying loving attention to our wikis, we just don’t have the time any more. So we turned to PBwiki, a great group of guys in Silicon Valley who run one of the most successful wiki farms online. They get it — they’ve built a wiki tool that’s simple and powerful at the same time. In fact, we’ve been playing around with PBwiki and talking to their CEO over the last few weeks. We like the team enough to turn Schtuff over to them.

Here’s how it will work:

In 3 weeks, we’ll email you and give you an easy way to migrate your data to PBwiki. We’ll handle all the details. You might have to pick a new wiki name, etc, but it’ll be simple. Given your permission, PBwiki has agreed to import your data, preserve your wiki structure, and give you a wiki that closely mirrors what you already have. They will also be including access controls (normally one of their Premium features) for Schtuff users. Later this year, PBwiki will include OpenID support.

If you choose not to migrate to PBwiki, you’ll have the option to donwload your wiki data, or do nothing. On 6/1/07 Schtuff will resolve to PBwiki.com.

~Scott Kveton