A Mistaken Hacking Call on CardSpace
A software developer discovered flaw in 'Windows CardSpace' claiming that it could give a user illegal access to the desktop. Was it a vulnerability that Microsoft overlooked? The company denies it to be one at all.
Microsoft has created 'Windows CardSpace' to store digital identities. It is meant to be a core place to authenticate users for transactions such as logging into desktop or posting a comment or suggestion on a site. The technology also acts as storage of other information about a user such as name, address and phone number. The key function of 'CardSpace' is to keep data secured. In its brief existence so far, there has been no breaches. However, someone claims to have broken through the system.
Developer Sergey Shishkin says he has hacked 'CardSpace and is even ready with a 'proof of concept'.
The vulnerability that was exploited was an 'Open File Dialog', which is used in operations such as choosing a picture for a card or a file for data backup. When the 'Open File Dialog' is in the process of opening, the desktop becomes visible for just a moment. But after it opens, the 'start menu' is free to open using 'Win button' and then anything is possible to do.
This was something that can't be missed. Actually, Microsoft didn't miss it and the company said it wasn't vulnerability. Responding to Shishkin's claim, Richard Turner, program manager for 'Windows CardSpace', explained when the 'Open File Dialog' opens within CardSpace, the user is actually taken back to the desktop where the 'Open File Dialog' displays itself.
Microsoft was very careful that the 'dialog' did not open from within CardSpace's desktop to guard from an inadvertent or deliberate summon of a code. The code, which could execute within could weaken the security of 'CardSpace's Private Desktop'.
Since the 'dialog' appears like opening from within CardSpace, Microsoft made several trials to keep the user experience consistent.
Related article: A New "Blackmailing" Variant Creeps Around…
» SPAMfighter News - 27-10-2006