Students crack Microsoft CardSpace

Students at the Ruhr University of Bochum, Germany, say they have found a way to steal security tokens in Microsoft's new CardSpace authentication framework. Attackers can apparently get access to protected, encrypted user data – such as passwords, credit card numbers, and delivery addresses – when they are transmitted. CardSpace (formerly InfoCard) is the successor to Passport. In both architectures, users' personal data are stored locally on the user's system.

Depending on the web site, users can decide which data they want to transmit. CardSpace is designed to make classic passwords a thing of the past, by replacing them with digital certificates that may be self-signed or signed by an authoritative CA such as Verisign.

Link: heise.de

Report a problem with article
Previous Story

Apple Student Promotion - Monday

Next Story

LaCie Brings the Speed!

14 Comments

Intercepting the tokens during transmission via a DNS redirect isn't cracking them.

I thought the second paragraph was more important:

According to the report, anti-DNS pinning, DNS rebinding, DNS spoofing, and drive-by pharming are apparently all successful ways to steal transmitted tokens. Attackers basically need to manipulate the user system's name resolution so that the token for the browser-based CardSpace is sent to the attacker. To this end, attackers manipulate the DNS entries on a router, for instance by means of cross-site request forgery, and send the attacked user to a malicious name server. If the attacker manages to switch name resolution during an authentication process so that the victim lands both on a shop's genuine CardSpace website and on a malicious forgery, the attacker then gets the token. During the token's validity, attackers can then pretend to be the user in question when they go shopping.

Couldn't you use this to swipe just about any authentication token, not just CardSpace?

I think its a good thing.
1 it's been discovered before it becomes widely used by poeple.
2 Its better for a student to discover it and pulicize it than some underground hacker who will never release the info

(/ -Razorfold said @ #4)
As greywolfsc said, this can be done with any authentication technique. Cardspace is just an example

Then why is Microsoft named in the title of this news post? It'll only make people think bad about them!

(Imran Hussain said @ #4.1)

Then why is Microsoft named in the title of this news post? It'll only make people think bad about them!

It's called news bias... it's like how when people talk about MP3 players they always say Apple iPod...

(illustrick said @ #5)
what is this cardspace thing anyway?
Somethin' that comes with M$'s .NET Framework v2/3. Like the article says it is suppose to replace the .NET Passport...

Really it's just another method of having your personal computer be able to automatically sign into M$ certified websites or others who share the same method. Has to run in the background tho' (infocard.exe, if I remember right).

(hairbautt said @ #5.1)
Somethin' that comes with M

Check your browser. I think it's broken. It puts end-of-string sentinel ending your comment abruptly.

I read that as well. All you need to do is change some system settings, poison your DNS cache, ignore the warning messages and suddenly cardspace is broken.

(Airlink said @ #7)
Single-sign-in services are what are known as A REALLY BAD IDEA. (That's the technical term for it.) ;)

But Seriously:
If I'm set up for multiple sign-in authentications (one for each site I may visit) then if someone compromises the security for any one of those, the others are not necessarily affected. If I set up Cardspace for multiple websites and then some hacker compromises my Cardspace, all the websites I have Cardspace set up for are likely compromised.

Imagine you have a house with 10 external entrances & exits (doors). Would you rather have 10 guards so you can have one guarding one door each, or would you rather have one large (and may I say, bloated) Microsoft-branded guard who supposedly can guard all ten doors. If we follow on from that analogy, it seems Micrsoft's door guard, mister Cardspace, has been kicked in the nuts by some German kids and left writhing in agony on the floor while the house he was supposed to be guarding gets robbed.

Lol bloated. Whats with microsoft haters saying everything is bloated.

An app thats like 5mb big is now bloated :rolleyes:

And btw, this can be used for any authentication tokens. Not just cardspace. Getting past the encryption on them is a different thing.

Learn 2 read and use your common sense.

Actually, this article really has very little to do with Cardspace, in particular. It was simply chosen as a target to be named because Microsoft has a big name. There's really nothing very new or clever revealed here, as far as I can tell. Read between the lines.

Commenting is disabled on this article.