is it possible to hack the header returns from Google/Yahoo! authentication openid request? i mean someone someone uses him@gmail.com to get authenticated with Google and then changes him@gmail.com to me@gmail.com in response from Google and get logged in to site with my account?
Yes, the authentication payload from the Provider to the Relying Party goes through the user's browser, giving the user the opportunity to inspect and even change what gets forwarded to the relying party web site.
However the payload is signed, so any changes to the signed portion of the message will result in the relying party detecting tampering has taken place and should reject the message.
So in effect, no, you can't hijack someone else's account using this method because of the signature verification process that is a built-in part of OpenID.