German Students Break CardSpace Security
Three students from the Ruhr-University Bochum in Germany were able to intercept the security token and, based on that,
We study the security of Cardspace and show that the browser-based protocol is susceptible to attacks, where the adversary steals the security token. Consequently, we prove evidence that users are impersonatable and the one who potentially suffer from identity theft. We confirm the practicability of the attack by presenting a proof of concept implementation. Finally, we discuss countermeasures, addressing both the CardSpace identity metasystem and the protocol.See the short description and the full report (pdf).
Heise Security tried to reproduce the attack without success, though. Microsoft is already working on a solution.