Cenzic 232 Patent
Paid Advertising
web application security lab

Vidoop

In an interesting email that was sent to me I was asked to take a peek at a new software tool, not yet released to the public called Vidoop (there is an interesting article on it here). While I was unable to actually take a look at the software, I’ve got a pretty good idea of how it works from the Wired article. After downloading a software certificate that allows you to use their software basically you say, “I like animals” and it shows you pictures of horses and cats and dogs all mixed in with a bunch of non-animal photos. You choose the the correct photos (a la kittenauth CAPTCHA) and you are granted access.

So here are the major problems with this that I see. Firstly, it’s probably not accessible (meaning there aren’t alt tags on the images) because if there were it would take only a few guesses to get in since the computer could build databases of “like” things. So basically, like in kittenauth, the blind are screwed (which we have talked about a dozen times and I really don’t want to start another conversation on it, I’m just sayin’). Secondly, it’s non-portable because you have to have the software installed on the computer you want to use. That means you can only use it from one computer (forget going over to a friend’s house and logging in) and if that one computer gets hosed you need to find an alternate path for getting the software installed (which is often the least secure part of these systems). This type of design is a lot less portable than tokens and for a consumer tokens are nearly unusable too.

Also something that makes me uncomfortable from a security perspective is the concept of single sign-in. I’ve always thought single sign-on was a great usability improvement but often terrible from a security perspective. Like the old motivational adage - you’re only as strong as your weakest link - the same is often true with single sign-on. You are often at the mercy of the weakest security model. If any one site is insecure you can (in many of the cases of single sign-on that I have seen) end up compromising all the other trusted sites. Perhaps Vidoop has a great way to solve that issue that revolutionizes the way authentication works and never opens itself up for attack under any scenario. Without looking at it, there’s no way for me to know.

Lastly, because Vidoop uses a relatively small set of photos to choose from, there are only a few general choices from which to brute force (otherwise you’d run into overlap and false positives). If I know the target is a male, chances are they aren’t going to pick the fuzzy animals. If I know the target is a 13 year old girl, chances are they aren’t going to pick photos of computers or sports cars and so on. Anyway, you see the problems with this, Unlike passwords, which are user specific (and still guessable), this is highly un-arbitrary. Does it stop phishing, keystroke logging, cure cancer or any other magical things? I can’t say without looking at it. Will I be using it for large scale mission critical secure production installs? Doubtful.

16 Responses to “Vidoop”

  1. Sid Says:

    No one will ever ask you to test their software again :p

    Good write up though.

    As for the fact you need the software installed; they could probably make a version you could run off your memory stick. Still I agree that it’s nothing great.

    For some time I’ve thought perhaps you could use google images in a captcha somehow. There are various possibilities with various upsides and downsides but I have yet to think up something really great.

  2. Chris Shiflett Says:

    The disadvantage of SSO is also a potential advantage. Although I also shudder at the thought of a single point of failure, the other side of the argument is that this particular concern can drive people to create stronger solutions, so we end up with a stronger single point of failure instead of many weak ones.

    With OpenID in particular, I see the risk as being more on the side of OpenID providers than OpenID consumers.

    I don’t mean to hijack your post with thoughts of OpenID. :-) It’s just something that has been on my mind lately.

  3. Jordan Says:

    Actually, single-sign-on needn’t be any less secure because of one weak link site. For example, the University of Michigan developed Co-Sign to provide SSO where even if a site is malicious, the only thing it can do is allow or deny access to the visiting user, but can’t MITM to get access to the credentials:

    http://www.umich.edu/~umweb/software/cosign/

    Aside from some recent vulnerabilities in their implementation (oops!) the design is really solid. Think of it as kerberos for the web. I haven’t looked at OpenID enough to know whether it functions similarly or not.

    Of course, you still have the weak link in the fact that there’s /one/ set of credentials for a bunch of websites, but I think the disadvantage is in many ways offset by the fact that it prevents a whole bunch

  4. RSnake Says:

    I didn’t say it “needed” to be less secure, it just happens that it very often is. I’m also not saying they are insecure for that fact, I’m just saying I’ve seen a handful of SSO solutions and only one of them had any hope of standing up to large scale exploitation. Maybe other people have seen better implementations, but all of these were multi-million user installs and not one of them was secure. It doesn’t bode well for the technology, even if there are some academic versions that are more robust.

  5. KBong Says:

    Vidoop’s Authentication Grid isn’t a software that you install on your machine. It is a service that a website provides for you, eg. your bank. so you can still use Vidoop on any computer. It’s just that when you are on a computer that has not been set as “your computer”, you will be asked for a one time code that will be sent to your email, phone, or text message. with that code, you can then access your account for that one session. in that case, if i somehow got a hold of your username, i would be prompted for a one-time code. unless i have an access to your email, or i have your phone, i wouldn’t be able to see your grid at all. send me an email if you’d like an invite code to try myvidoop out.

  6. Gaz Says:

    I was sent a demo to test and it included a CSRF hole because they didn’t do any sort of form tokens. I think they have fixed it since, I assume so anyway. They use OpenID for authorisaton and there are many security risks with the way the majority of the providers configure their sites for example:-

    http://janrain.com/blog/2007/03/22/myopenid-security-fix/

  7. Chris Shiflett Says:

    Gaz, that has indeed been fixed. You must have tried JanRain’s OpenID server before me, because that was the first thing I looked for.

    (To be clear, Gaz’s reference to “it” is a web site called MyOpenID, not OpenID itself.)

  8. Chris Shiflett Says:

    After further reading, I think we might be talking about different things, so I can’t confirm that this has been fixed.

  9. Gaz Says:

    Hi Chris

    Both sites contained a flaw, MyOpenID has since fixed the problem I reported. I also got an email from Vidoop to check their site and indeed it contained a similar problem but affected all browsers. The Safari problem still exists today and still hasn’t been fixed by Apple. (Come on Apple! I won’t wait forever)

    All OpenID providers that I’ve looked at remember the users password, if they asked for the password everytime a site request occured it would fix a ton of problems. There are around 2-3 other potential vulnerabilities that I can think of at the moment.

  10. Gaz Says:

    I informed Vidoop of their form token problem (or rather lack of) and they confirmed the problem and said they would fix it. I didn’t have confirmation that it was fixed but I presume it is.

  11. Scott Blomquist Says:

    Gaz is right–it has been fixed.

  12. Scott Blomquist Says:

    On the accessibility issue, a museum can be accessible even if its paintings are not.

    Web sites will have to use a non-visual approach to authenticating users who are visually impaired–this doesn’t mean that sighted users should not benefit from the added security provided by visual authentication techniques.

    Vidoop’s recommended approach for authenticating visually impaired users is to deliver an activation PIN using a voice phone call (which you can try out on myvidoop.com) in combination with a text-based shared secret. This still provides inexpensive two-factor authentication without requiring additional hardware.

  13. Suresh Kaukuntly Says:

    Well I am not a security geek, but was really fascinated with the Vidoop’s approach of visual login. I decided to really check whether the system is as secured as claimed.
    Here’s one scenario which i feel should be handled properly by vidoop. What if i want to login to my collegues account(may be bank), If i get hold of his mobile for 5 minutes (which i think is not a difficult task) can i login to his vidoop account?????
    Here’s how it can be done,
    1. Get the mobile(or should i say, steal the mobile:-) )
    2. Go to vidoop login page and click [I forgot my login categories], It asks for user name, Enter ur friends username(i guess it shouldn’t be difficult to know), then it asks “Where do you want your one-time pin sent?”, select the mobile number.
    3. You should recieve the pin over the mobile, and then its done, U have the complete access to his account:-)

    Vidoop really fails here, I use RSASecureid at my office for logging into VPN, and Even if someone gets over the secureid, they cannot login unless they know the password, I guess Vidoop can follow similar 2 factor auth to improve the security.

    PS: My assumption here is that mobile is accessible and we know his user name, Also i didn’t actually try this on mobile as Vidoop currently do not provide mobile service in Bangalore,India. So I tried this approach assuming i know the registered email id and password. Also please not that I am not promoting RSA here, As i will not get any benefit by doing so:-)

  14. Scott Blomquist Says:

    Suresh,

    Actually, the attack that you mention will NOT work.

    For category reset, if you have at least one phone number (either voice or SMS), the site require that you use an email address _and_ your phone to reset your password.

    In email-only cases, such as yours, the PIN is sent to an email account. This is not significantly different than the password reset process used on most web sites with which you have an account today.

  15. Suresh Kaukuntly Says:

    Hi Scott,
    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    For category reset, if you have at least one phone number (either voice or SMS), the site require that you use an email address _and_ your phone to reset your password.
    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

    In my above attack i assume the phone is accessible to me(May be I want to break into my collegues bank account, so his phone is easily accessible to me). So isn’t the requirement that “email address_and_your phone” is satisfied?

    Also now a days many spyware automatically takes the screen shots(may be parents want to keep vigilance on their children’s internet usage). So is it possible for such a spyware to record the input password and the store the image grid as a image file and send it across to hacker? The hacker can then easily match the input password and the image to find out the categories?????
    Just a thought as he may not use it because he will not be having the software token, but nonetheless he will get to know one of the factor of authentication i.e The secret categories.

  16. Subodh Says:

    Its a wonderful article.
    i would like to know one question :

    Can we bypass CAPTCHA through Selenium script ?

    Please reply on email id.

    Thanks
    ~Subodh