X

Researchers say Microsoft's CardSpace vulnerable

A team of student researchers find a flaw in CardSpace similar to the flaw that broke its predecessor, .Net PassPort.

Robert Vamosi Former Editor
As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.
See full bio
Robert Vamosi
2 min read

Using attacks similar to those used to break .Net PassPort, a group of students at the Ruhr Universitat Bochum in Germany claim to have stolen CardSpace's security tokens from a compromised machine. But Microsoft dismisses the attack, saying an attacker would need a user's help.

CardSpace is included within .NET Framework 3.0 and allows users to create personal information cards that are shared with participating Web sites for authentication. A user creates a CardSpace card for a site and the .NET software then obtains a digitally signed XML token from the site issuer. What the students in Germany say they've done is taken one of the security tokens from an Internet Explorer 7 browser.

The students, Sebastian Gajek, Jörg Schwenk, and Xuan Chen say they modeled their CardSpace attack after Kormann and Rubin's 2000 attack on CardSpace's predecessor, .Net PassPort. The students write "our proof-of-concept attack builds upon identical adversarial assumptions. In fact, the potential difference between the .NET passport and CardSpace protocol lies in the browser's handling of security tokens."

The students cite a potential for a drive-by Pharming attack, where a user visits a malicious Web site that changes the DNS server on the computer. Once changed, the students demonstrate that it is possible to steal the security token that is at the heart of CardSpace.

Microsoft did not respond directly to the claims made by the students but a company spokesperson directed CNET to Kim Cameron's blog entry from last Friday analyzing this attack. Cameron is the chief architect of identity in the Connected Systems Division at Microsoft and he faults the student's work on two counts:One, he says, Windows Vista makes it hard for a silent attack to change the DNS server without the user knowing. And two, he says once that rogue DNS server is added, it's hard for Windows Vista to accept it as a trusted authority without the user knowing. Cameron has produced a video video to demonstrate these points.

However, the students did not use Windows Vista; they stole a security token from an Internet Explorer 7.0.5730.13 browser running under Windows XP SP2.