InfoCard/Cardspaces "Hack"?

updated 12:27 AM PST, 8/27/2006
updated 9:14 AM PST, 8/16/2006

An interesting post appeared on Kim Cameron's IdentityBlog yesterday afternoon. Rohan Pinto apparently circumvented the security on the blog (which runs on WordPress), and vaguely implied that the exploit was enabled by Kim's use of InfoCard/Cardspaces:

"I thought os a small infocard exploit, and just tried it on this site not expecting it to work on the first attempt. but it did . . ."

It isn't immediately clear to me that the hack was particular to InfoCard/Cardspaces for a couple of reasons:

  1. Rohan seems to have been correctly identified by the site as "Rohan Pinto" in both the original post as well as the follow up comment. (i.e. He wasn't able to post as "Kim Cameron" or some other user's identity)

  2. The "hack" seems to be an exploit around entitlements or permissions within the application. Unless the asserted identity contained falsified credentials that allowed the user to assume an admin role (vs. a naiive trust of unqualified or unsigned attributes), then the exploit would not seem to be specific to the protocols that comprise InfoCard/Cardspaces.

Based on these observations, I suspect that the exploit is particular to either Kim's PHP InfoCard implementation, or an issue with his WordPress configuration.

Kim or Rohan, any details you are able to share regarding this would be appreciated, as if there is an exploit that is common across InfoCard/Cardspace implementations, then I'm sure the community would be interested in hearing about it.

Rohan, while I can understand your reluctance to share the technical details of your exploit, perhaps you could disclose any occurrences of this vulnerability in other public RP implementations ( Ping Identity, ). Is the attack feasible against all InfoCard enabled sites?

[UPDATE] Rohan has confirmed here that, indeed, the exploit was unrelated to InfoCard, and was simply a WordPress specific exploit.

Kim has since removed Rohan's post, so I've included a screenshot below, and a copy of the item can be found here.

[UPDATE] Rohan called and asked me to remove my link to a search for the term "Rohan Pinto", as he feels he has been the victim of a "google bombing" campaign by other parties in a dispute over copyright infringement. I have obliged Rohan, and am now linking directly to his blog.