-
assigned issue to
- changed status to open
Registration - Security consideration on Logo needs to be written
Issue #596
resolved
This is a phishing attack vector.
Comments (3)
-
-
Account Deleted A rogue RP, such as Aolicious, might show the logo for Aol, which it's trying to impersonate. An IdP needs to take steps to mitigate this phishing risk, since the logo could confuse users into thinking they're logging in to Aol.
Displaying the domain of the callback URL is one option. An IdP could also warn if the domain/site of the logo doesn't match the domain/site of the callback URL. An IdP can also make warnings against untrusted RPs in all cases, especially if they're dynamically registered, have not been trusted by any users at the IdP before, and want to use the logo feature.
-
reporter - changed status to resolved
Fixed
#596. Security consideration for logos. - Log in to comment