Drupal 6.x before 6.23 and 7.x before 7.11 does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack.
https://drupal.org/node/1425084
http://www.debian.org/security/2013/dsa-2776
http://openid.net/2011/05/05/attribute-exchange-security-alert/