An interesting post appeared on Kim Cameron's IdentityBlog yesterday afternoon. Rohan Pinto apparently circumvented the security on the blog (which runs on WordPress), and vaguely implied that the exploit was enabled by Kim's use of InfoCard/Cardspaces:
It isn't immediately clear to me that the hack was particular to InfoCard/Cardspaces for a couple of reasons:
Based on these observations, I suspect that the exploit is particular to either Kim's PHP InfoCard implementation, or an issue with his WordPress configuration.
Kim or Rohan, any details you are able to share regarding this would be appreciated, as if there is an exploit that is common across InfoCard/Cardspace implementations, then I'm sure the community would be interested in hearing about it.
Rohan, while I can understand your reluctance to share the technical details of your exploit, perhaps you could disclose any occurrences of this vulnerability in other public RP implementations ( Ping Identity, xmldap.org ). Is the attack feasible against all InfoCard enabled sites?
[UPDATE] Rohan has confirmed here that, indeed, the exploit was unrelated to InfoCard, and was simply a WordPress specific exploit.
Kim has since removed Rohan's post, so I've included a screenshot below, and a copy of the item can be found here.
[UPDATE] Rohan called and asked me to remove my link to a search for the term "Rohan Pinto", as he feels he has been the victim of a "google bombing" campaign by other parties in a dispute over copyright infringement. I have obliged Rohan, and am now linking directly to his blog.