If you use OpenID as your authentication method for your website, there a potential flaw that you need to be aware of.

OpenID is quickly becoming one of the most popular ways to implement authentication on a website without having to create and support a separate username/password authentication process. It's used by many well known websites today including WordPress, Facebook, Google and Yahoo.

According to the OpenID Foundation, there are more than 9 million websites using OpenID for authentication.

Attribute Exchange

OpenID's Attribute Exchange (AX) allows a website to receive identity information from an authorized server. If not implemented properly, a user's security credentials could be hijacked. The flaw was found by security researchers, Rui Wang, Shuo Chen and XiaoFeng Wang.

The researchers found that some sites where not confirming the information passed through AX was signed, thus leaving the door open for hackers to jump in and steal/change information. Not a big deal if the information isn't critical or sensitive, but a serious issue if it is.

The issue primarily affects apps that use OpenID4Java Java library, but others could be affected. The OpenID Foundation did say that Janrain, Ping Identity and DotNetOpenAuth are probably not vulnerable.

A number of websites were contacted to fix the security flaw, although we aren't being told who exactly. The fix can be found here.