Attacks on Vidoop Authentication
May 7th, 2007 by Rachna DhamijaA new authentication scheme was announced recently at the Web 2.0 Expo: Vidoop http://www.vidoop.com.
Vidoop describes itself as a web single sign-on solution that is resistant to “all prevalent forms of hacking”. Specifically, they claim to resist “phishing, keystroke logging, brute force, and many man-in-the-middle attacks” and to resist automated attacks by “requiring human cognition” on the part of the attacker. This language is misleading. In reality, the scheme only resists simple phishing attacks — it does not prevent man-in-the-middle attacks, is vulnerable to brute force attacks, and it is resistant to keyboard loggers only when screen loggers are not present.
We were able to construct a man-in-the-middle (MITM) attack that allows us to capture users’ credentials and to login to their accounts. We recorded a video that demonstrates a MITM attack in progress at myvidoop.com. Ian Fischer, a Harvard University student and research intern at CommerceNet, created the attack in a few hours, by modifying freely available proxy software on the Internet. We describe the attacks in more detail below.
How Vidoop works: Vidoop is essentially a combination of a graphical password scheme and client-side cookie. During setup, a user must choose their secret, which is a set of three “image categories” out of 25 categories (e.g., the user might choose cats, dogs, and birds).
To login, the user has to enter their username (or OpenID URI). The server presents a grid of 12 images from different image categories. Each picture has a random character superimposed on it, and three of the images are from the user’s pre-selected categories. The user derives his one-time PIN by entering the three letters corresponding to his image categories.
Attacks: We recently conducted a study that analyzed attacks on Bank of America’s SiteKey scheme [1]. Vidoop bears some similarities and shares many of the same vulnerabilities. In particular, Vidoop is vulnerable to a man-in-the-middle attack in which the attacker simulates the enrollment process. This is a well-know attack on SiteKey, which was first published in 2005 [2], and has been well analyzed by Jim Youll [3] and more recently demonstrated in this video by Indiana University researchers [4].
Like SiteKey, users must have a Flash cookie and/or HTTP cookie on their machine in order to log in (this cookie acts as a “second factor” that ties the machine to the user’s account). If this cookie is erased, or if the user logs in from a new machine, the user needs to “enroll” the machine. The SiteKey enrollment process requires the user to answer a challenge question before receiving their cookie. This opens up a MITM attack, where the phisher lures the user to his website and presents the enrollment message “You are logging in from a computer that we don’t recognize”. The phisher proceeds to relay the challenge question from the bank to the user, and then relays the user’s answer back to the bank. This allows the phisher to ultimately capture the user’s SiteKey image and password. Because the user has probably seen the re-enrollment message several times in legitimate circumstances, he is likely to answer the challenge question and might not even know he was the victim of a phishing attack.
In Vidoop’s enrollment process, the user has to request an activation code, instead of answering a challenge question (the activation code is delivered via email, a phone call or SMS text message). Once the user enters the activation code, the server will place a cookie on the machine, and allow the user to log in as usual. This opens up the same MITM described above — now, instead of relaying the challenge question to the bank, the phisher simply relays the activation code:
The phisher directs the user to phishingsite.com, which looks just like the Bank site, and the user enters his username.
The phisher relays the username to the real Bank and is presented with the message “We don’t recognize your computer. Please select how you would like to receive your activation code”. The phisher relays this message to the user.
The user selects the method of delivery, and the phisher relays this choice to the Bank. The user receives the activation code and enters it into the phishing website.
The phisher relays the activation code to the Bank, receives the cookie, and the user’s authentication grid image.
The phisher displays the user’s image grid to the user in order to obtain his PIN and secret “image categories”. He relays the PIN back to the bank in order to log in.
Vidoop’s requirement for out-of-band communication does not increase the cost of launching an automated MITM attack. In the SiteKey attack, the MITM phisher obtains the SiteKey image and password and a secure cookie, which allows him to log in indefinitely. In Vidoop, the MITM attacker obtains the user’s PIN, which can only be used immediately to login to the account one time. He also receives the user’s image categories and a cookie that allows him to log in in the future. To make use of the cookie, the attacker has to do a little more work.
Vidoop claims that subsequent logins require a human to determine the image categories and to look at the image grid to obtain the user’s PIN. The necessity for a human in the loop increases the cost of an attack, and most phishers won’t bother to go through the effort. They don’t need to! The password space is so small that, once you have a cookie, a brute force attack is trivial. The myvidoop.com PIN is 3 characters chosen from the 26 characters of the alphabet, is order-independent, and is case insensitive, so the attacker only has to search 2,600 combinations (26 choose 3). With four login attempts available, the chances of success are 1 in 650. If the phisher uses automated character-recognition programs, he can reduce the number of combinations to 220 (12 choose 3), or a 1 in 55 chance of success with 4 login attempts. Note that brute force attacks are also easy to mount by anyone that shares the machine with the user.
Vidoop could increase the attacker workload by increasing the size of the PIN (the number of image categories), increasing the image grid, increasing character set (e.g., adding digits and symbols), requiring order dependence and non-repeatability, or by reducing the number of attempts that are allowed. To defeat character recognition, they could eventually employ captcha-type characters. All of these options will significantly reduce the usability of the system.
Vidoop does improve upon SiteKey in its resistance to keyboard logging attacks. If a keyboard logger obtains the PIN, it is only useful for one login and only within the timeout period. Vidoop is not resistant to malware that contains both keyboard loggers and screen loggers, which are becoming increasingly common [5].
Graphical passwords do have other weaknesses. For example, an attacker can predict the type of image categories that are chosen, even with very limited information about the target user [6, 7]. However, targeted attacks are expensive to mount — we’ve only focused on the attacks that are easy to automate here.
Privacy: There is a gaping privacy hole in their system. Vidoop makes it easy to search for registered usernames, and they openly publish these on their website. An attacker can enter usernames and request that activation codes be sent to them via text message, cell phone or email, depending on the user’s preferences (this can be very costly and annoying for both Vidoop and its users). Initially, Vidoop had no time-out or restriction on the number of messages that could be sent by an unknown party. It appears that I can now only send 3 messages to any one person, after which time there is 9 minute timeout before requests can be sent again. By signing up for Vidoop, users essentially give anyone the right to send them Vidoop messages, without requesting their permission and without needing any contact information.
Usability: The cognitive overhead of selecting the Vidoop PIN is higher than recognizing the previously seen SiteKey image (the user must remember their semantic image categories, select images from the appropriate categories, find the associated characters and input them into a text box). However, Vidoop eliminates the need to recall a password, which is still a requirement with SiteKey. Vidoop eliminates the need to answer a challenge question during enrollment, but requires the user to check their email or phone and then input the activation code.
Summary: Before publishing our analysis, we communicated with Vidoop’s CTO, Scott Blomquist. He acknowledged that he is aware of these weaknesses and that the scheme is vulnerable to man-in-the-middle attacks. In comparison to simple password authentication, Vidoop does raise the bar for phishers. However, we find their advertising, and in particular their claims that they resist man-in-the-middle attacks and “all prevalent forms of hacking”, to be disingenuous.
[1] The Emperor’s New Security Indicators, Stuart Schecter, Rachna Dhamija, Andy Ozment, Ian Fischer, to appear in the Proceedings IEEE Symposium on Security and Privacy, May 2007.
[2] The Battle Against Phishing: Dynamic Security Skins, Rachna Dhamija and J. D. Tygar, in Proceedings of the Symposium on Usable Privacy and Security (SOUPS), July 2005.
[3] Fraud Vulnerabilities in SiteKey Security at Bank of America, Jim Youll, July 2006.
[4] Deciet Augmented Man-in-the-middle Attack against Bank of America SiteKey Service, blog post and video, Christopher Soghoian, April 10, 2007.
[5] Anti-phishing Working Group, http://www.apwg.org/
[6] Deja Vu: A User Study. Using Images for Authentication, Rachna Dhamija and Adrian Perrig, in Proceedings of the 9th USENIX Security Symposium, August 2000.
[7] On User Choice in Graphical Password Schemes, Darren Davis, Fabian Monrose, and Michael K. Reiter, in Proceedings of the 13th USENIX Security Symposium, August 2004.