CVE-2024-23674 targets the Online-Ausweis-Funktion (eID) scheme used in the German National Identity card, allowing attackers to bypass authentication mechanisms through spoofing attacks, dubbed the "sPACE (Spoofing Password Authenticated Connection Establishment)" issue. The vulnerability arises from a combination of insecure PIN entry on basic card readers and the use of eid:// deeplinking, which can be exploited by a man-in-the-middle attacker to assume the identity of the victim. The attack requires the victim to have a modified eID kernel, typically installed by tricking the user into installing a counterfeit version of an official eID app. Once exploited, the attacker can access sensitive government, medical, and financial resources and extract personal data stored on the card. The vulnerability is classified under CWE-290 (Authentication Bypass) and has a CVSS v3.1 score of 9.6 (critical), reflecting its high impact on confidentiality, integrity, and availability with no privileges required but user interaction necessary. The German Federal Office for Information Security (BSI) highlights that securing the client environment is the responsibility of the cardholder, implying that the vulnerability is partly due to client-side security weaknesses. No official patches or fixes have been released as of the publication date, and no active exploitation has been reported in the wild.

The impact of CVE-2024-23674 is severe for individuals and organizations relying on the German eID system for authentication and access to critical services. Successful exploitation allows attackers to impersonate victims, gaining unauthorized access to government portals, healthcare records, and financial accounts, potentially leading to identity theft, fraud, and privacy violations. The extraction of personal data from the card further exacerbates privacy risks and could facilitate subsequent targeted attacks. For organizations, this undermines trust in digital identity verification processes and may result in regulatory and reputational damage. The requirement for a modified eID kernel means that social engineering or malware distribution campaigns could be leveraged to compromise users, increasing the attack surface. The lack of patches and reliance on user-side security measures complicate mitigation efforts, potentially prolonging exposure. Overall, this vulnerability threatens the confidentiality, integrity, and availability of sensitive personal and institutional data within Germany's digital identity ecosystem.

Mitigation should focus on multiple layers: First, users must be educated to avoid installing unofficial or modified eID applications and to verify app authenticity through official channels. Organizations and the BSI should enhance awareness campaigns emphasizing the importance of maintaining a secure operational environment on client devices. Deployment of endpoint security solutions capable of detecting unauthorized modifications to the eID kernel or suspicious app installations is recommended. Developers should consider implementing stronger PIN entry protections, such as hardware-based secure PIN entry or multi-factor authentication mechanisms that do not rely solely on PINs. The BSI and relevant authorities should expedite development and release of official patches or updated eID app versions that address deeplinking vulnerabilities and enforce integrity checks on the eID kernel. Additionally, monitoring for phishing or social engineering campaigns targeting eID users can help reduce the risk of kernel compromise. Organizations relying on eID authentication should implement anomaly detection and additional verification steps for high-risk transactions. Finally, users should be advised to regularly update their devices and apps to incorporate any forthcoming security improvements.