Pesquisadores burlam o cardspace da microsoft
Grupo de pesquisadores conseguem burlar a tecnologia CardSpace
Um trio de pesquisadores de segurança disse ter conseguido comprometer com sucesso a tecnologia CardSpace da Microsoft. A tecnologia CardSpace está presente no Windows Vista e funciona em conjunto com um browser quando o usuário utiliza um site que pede por informações como endereço ou número de cartão de crédito. As informações pessoais podem ser armazenadas no computador do usuário ou em um serviço de armazenamento de terceiros.
O CardSpace mantém um conjunto de cartões de identificação virtuais no PC do usuário. Quando um site pede por informações, o usuário escolhe um de seus cartões. Cartões "self-issued" armazenam informações sobre a identidade, enquanto que cartões "gerenciáveis" são armazenados por um provedor de identidades.
Os pesquisadores, do Horst Gortz Institute for IT Security na Universidade Ruhr, mostraram como é possível interceptar o token de autenticação do CardSpace. O hacker poderia então utilizar o token para obter acesso à outro site ou transmitir informações para este site.
A trio of computer security researchers said they've successfully compromised Microsoft Corp.'s CardSpace, a technology intended to strengthen the security of personal information on the Internet.
Shipping with the Windows Vista operating system, CardSpace works in concert with a browser when someone uses a Web site that asks for information such as an address or a credit card number. That personal information can be stored on the user's computer or with a third-party identity provider.
CardSpace keeps a set of virtual ID cards on the user's computer. When a Web site asks for information, the user picks one of the cards. "Self-issued" cards store identity information on a user's PC, while "managed" cards are stored by an identity provider.
When logging onto a Web site, the user can ask the identity provider to vouch for them, which saves having to remember a slew of different passwords, a concept known as single sign-on. Rather than directly receiving the personal information, the Web site gets a token from the identity provider, adding an additional layer of security to a Web transaction beyond SSL (Secure Sockets Layer) browser encryption.
The researchers, from the Horst Gortz Institute for IT Security at Ruhr University in Bochum, Germany, have shown it is possible to intercept the authentication token from CardSpace. The hacker could then use the token to gain access to the other site or transmit sensitive information to that site.
Microsoft is hoping CardSpace will reduce problems plaguing Internet users such as identity theft. The company has also pledged to integrate CardSpace with OpenID, an open-source standard with the same goals that has been implemented in part by companies such as Yahoo Inc. However, Web sites have to be designed to work with CardSpace and OpenID, and so far, neither is widely used.
The attack against CardSpace involves directing a user to a malicious Web server. In the explanation, the attack involves modifying the victim's DNS settings -- another trick known as "pharming" -- and directing the person to the malicious Web server, which is then able to grab the authentication token.
So far, the method remains proof-of-concept and has not been used to attack people. But that could change, the researchers said.
The attack can be easily replicated, according to the Horst Gortz Institute. The researchers "conclude that it is realistic to expect attacks against CardSpace soon in the wild."
Microsoft officials said they are looking into the research.
The research was done by two IT security students, Sebastian Gajek and Xuan Chen, and Jorg Schwenk, a professor and chairman of network and data security at the institute.