Security bug in ProtectedData.Unprotect? RRS feed

  • Question

  • What would you expect the following code would do?

    Byte[] actual = { 1, 2 };
    Byte[] secure = ProtectedData.Protect(actual, null, DataProtectionScope.<strong>CurrentUser</strong>);
    Byte[] expected = ProtectedData.Unprotect(secure, null, DataProtectionScope.<strong>LocalMachine</strong>);

    I was expecting it to throw an exception trying to unprotect the data. But it does not, and expected is the same as actual. Why? Because CryptUnprotectData API that ProtectedData.Unprotect uses does not use data protection scope at all.

    Does .NET base class team not read Win32 API documentation?

    Thursday, October 28, 2010 7:13 PM