The attack on CardSpace relies on the ability to redirect DNS requests to a server hosted by the cracker.
If you use Microsoft's CardSpace authentication system provided with .NET Framework 3.0, then I've got some bad news for you: it would appear that Microsoft hasn't learnt anything from the security vulnerabilities found in the older .Net Passport system.
According to an article over on CNet
, a team of German students has successfully updated an eight-year old attack aimed at CardSpace's predecessor .Net Passport to perform a so-called 'pharming' attack on CardSpace enabled systems.
The basics of the attack
, based around similar work
published by David Kormann and Aviel Rubin of AT&T Labs' Research section in 2000, involve co-opting a digitally signed token from a Windows XP SP2 system running Internet Explorer 7 by using existing vulnerabilities in the browser to change the DNS servers on the target computer and thus fool the system into trusting a system under the direct control of the attacker. The upshot of the attack is that the secret token which represents the very heart of the CardSpace single sign on system can be filched and used to log on to sites as the targeted user without their knowledge, something the CardSpace system was designed to prevent.
Although there are a whole raft of assumptions involved in the attack – not least of which is that the attacker is able to successfully switch the DNS servers used by the targeted system without the user noticing – it's still embarrassing for Microsoft to have their flagship web authentication system, developed to fix flaws in the .Net Passport system, fall victim to the same attack as its predecessor.
So far, Microsoft has not provided a response to the publication of the attack. Providing a vector exists that gives the attacker control over DNS resolution from the target machine, the attack remains viable.
Any web developers hoping to utilise the single sign on services offered by CardSpace now thinking twice about its implementation, or are the chances of a successful attack via DNS 'pharming' so remote as to be negligible? Share your thoughts over in the forums