[TYPO3-core] Access denied for old security bug
Dmitry Dulepov
dmitry.dulepov at gmail.com
Fri Jun 21 12:54:20 CEST 2013
Hi!
Helmut Hummel wrote:
> If I know the OpenID of a TYPO3 user, I can log in with *any* google
> account, if it belongs to this OpenID or not.
Unfortunately this is the case with Google :( Since Google OpenID URL is
the same for all users, there is no way to find who is actually logged in.
For example, when I tried to login with their URL, it asked me what Google
user I want to use (I have a private and a couple of business accounts).
The ID of the authenticated user was a string of random characters. So it
seems like we cannot authenticate with Google at all because it does not
provide the information about the user. Dead end :(
--
Dmitry Dulepov
More information about the TYPO3-team-core
mailing list