CardSpace Hacked? No!
In a post on his blog, Sergey Shishkin claims to have "hacked" CardSpace. Alas, this is more a case of CardSpace perhaps doing too good a job of providing a consistent user experience by masking when it drops back to the user's desktop to open the file-open dialog!
I've tried posting a response clarifying the situation to Sergey's blog, but I keep getting errors back. I've posted my response here for now:
Hey Sergey.
What you've "found" is not, in fact, a penetration at all!
When you open the "File Open" dialogs from within CardSpace, you're actually dropped back to your desktop where the "File Open" dialog is displayed to you (this is why the UI flickers a little when you hit browse).
We were very careful to ensure that the dialog was not opened from within CardSpace's desktop to shield you from inadvertently (or deliberately) invoking code which could execute within and therefore potentially compromise the safety of CardSpace's Private Desktop.
The fact that it LOOKS LIKE the dialog is opening from within CardSpace was because we wanted to try and keep the user experience as consistent as possible.
I hope this clears up this issue?
