bit-tech.net

CardSpace duplicates Passport flaw

CardSpace duplicates Passport flaw

The attack on CardSpace relies on the ability to redirect DNS requests to a server hosted by the cracker.

If you use Microsoft's CardSpace authentication system provided with .NET Framework 3.0, then I've got some bad news for you: it would appear that Microsoft hasn't learnt anything from the security vulnerabilities found in the older .Net Passport system.

According to an article over on CNet, a team of German students has successfully updated an eight-year old attack aimed at CardSpace's predecessor .Net Passport to perform a so-called 'pharming' attack on CardSpace enabled systems.

The basics of the attack, based around similar work published by David Kormann and Aviel Rubin of AT&T Labs' Research section in 2000, involve co-opting a digitally signed token from a Windows XP SP2 system running Internet Explorer 7 by using existing vulnerabilities in the browser to change the DNS servers on the target computer and thus fool the system into trusting a system under the direct control of the attacker. The upshot of the attack is that the secret token which represents the very heart of the CardSpace single sign on system can be filched and used to log on to sites as the targeted user without their knowledge, something the CardSpace system was designed to prevent.

Although there are a whole raft of assumptions involved in the attack – not least of which is that the attacker is able to successfully switch the DNS servers used by the targeted system without the user noticing – it's still embarrassing for Microsoft to have their flagship web authentication system, developed to fix flaws in the .Net Passport system, fall victim to the same attack as its predecessor.

So far, Microsoft has not provided a response to the publication of the attack. Providing a vector exists that gives the attacker control over DNS resolution from the target machine, the attack remains viable.

Any web developers hoping to utilise the single sign on services offered by CardSpace now thinking twice about its implementation, or are the chances of a successful attack via DNS 'pharming' so remote as to be negligible? Share your thoughts over in the forums.

4 Comments

Discuss in the forums Reply
Paradigm Shifter 3rd June 2008, 12:11 Quote
When all I saw was the headline, I was worried about the word 'passport'... I was thinking the little bit of paper that lets you travel... (oops) :)
Mentai 3rd June 2008, 12:50 Quote
Haha same here
Cthippo 3rd June 2008, 20:45 Quote
Aren't a lot of attacks these days run against DNS though? Doesn't seem like it would be that difficult considering what else crackers do on a daily basis.
Veles 4th June 2008, 00:39 Quote
Seeing as it happened to comcast not long ago
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums