Vidoop Under Attack.
Publicated on :
1178756195
Vidoop -as they claim it- is a new kind of security scheme which uses a single sign on and was thought to be secure. Well, that makes me shiver when I read that back. Anyway, it seems that web security experts are already attacking it. In this post a quick review on how they do it and my viewpoints about it.
OpenID by Vidoop is a single sign-on for the web, a single identity you can use at various websites that accept the credential. Your identity will act as your single sign-on for any website.
How Vidoop works.
Vidoop is essentially a combination of a graphical password scheme and client-side cookie. During setup, a user must choose their secret, which is a set of three image categories out of 25 categories (e.g., the user might choose cats, dogs, and birds).
To login, the user has to enter their username (or OpenID URI). The server presents a grid of 12 images from different image categories. Each picture has a random character superimposed on it, and three of the images are from the user's pre-selected categories. The user derives his one-time PIN by entering the three letters corresponding to his image categories.
Attacking Vidoop
Vidoop claims to be resistant to all forms of hacking. They claim to resist phishing, keystroke logging, and man-in-the-middle attacks (MITM). Now what is wrong with that statement you ask? Well you probably frowned your eyebrows on the MITM attack prevention. And you are right, Vidoop doesn't protect your from this because clearly they don't understand what MITM actually is.
"Ian Fischer was able to construct a man-in-the-middle (MITM) attack that allows us to capture users credentials and to login to their accounts. We recorded a video that demonstrates a MITM attack in progress at myvidoop.com. Ian Fischer, a Harvard University student and research intern at CommerceNet, created the attack in a few hours, by modifying freely available proxy software on the Internet. We describe the attacks in more detail below."
The next video shows you an Man in the Middle attack on Vidoop: http://s3.amazonaws.com/vidupe/vidupe.mov
Ouch... As you can imagine I cannot wait to make my hands wet on this little puppy!
They claim to protect you from
- Phishing
- Keystroke logging
- Man-In-The-Middle-Attacks
- Brute Force
I don't really get what they mean with brute force here? And keystroke logging is done on the users PC itself most of the cases, so keystroke logging for the Vidoop account is still possible. I even see it as a weaker form of security if you have only one password for all your passwords. Like Bruce Schneier does with his program: PasswordSafe, I really can't understand the reasoning behind this form of security.
When I watched this presentation of Vidoop I immediately thought about the Javascript guys amongst us. Really watch it, I can't wait to see the first Javascript attacks on it.
Anyway, as shown above MITM preventions are also debunked and that leaves us only with phishing. So it only can prevent a few phishers. Who will go though the hassle to even sign up at Vidoop then? It is pretty serious what they claim. But they only give out a false sense of security to my opinion. And that is a real security risk if one asks me.
Used resources.
http://paranoia.dubfire.net/2007/04/deceit-augmented-man-in-middle-attack.html
http://blog.commerce.net/?p=271
http://www.vidoop.com/web_signon.php