As I said in the previous post, the students from Ruhr Universitat who are claiming discovery of security vulnerabilities in CardSpace did NOT “crack” CardSpace.
Instead, they created a demonstration that requires the computer's owner to consciously disable the computer's defenses through complex configurations – following a recipe they published on the web.
The students are not able to undermine the system without active co-operation by its owner.
You might be thinking a user could be tricked into accidently cooperating with the attack.. To explore that idea, I've captured the steps required to enable the attack in this video. I suggest you look at this yourself to judge the students’ claim they have come up with a “practical attack”.
In essence, the video shows that a sophisticated computer owner is able to cause her system to be compromised if she chooses to do so. This is not a “breach”.