Search in HRJ Tricks

Related Posts Plugin for WordPress, Blogger...

Sunday, July 27, 2014

Critical Vulnerability and Privacy LoopHole Found in RoboForm Password Manager


roboform flaws
Unless you are a human supercomputer, remembering password is not so easy, and that too if you have a different password for each site. But luckily to make the whole process very easy, there is a growing market out there for password managers and lockers with extra layers of security...

But, if you are using the mobile version of most popular password manager from Password management company RoboForm to manage your passwords then you might be at a risk, claimed a UK based Security researcher.

I am personally using RoboForm from last few months, which is a great password manager application developed by Siber Systems Inc. for various platforms that stores your sensitive data all in one place, protected at RoboForm account and encrypted by a secret master password. RoboForm user be able to then quickly access those passwords and notes anytime, anywhere.

But a IT security consultant and tech enthusiast Paul Moore discovered one critical vulnerability in its app and one Privacy loophole in the RoboForm's service, that could allow attackers and prying eyes to get users’ personal data, including stored login credentials of various websites and payment card details.

Note: Yesterday we published this article with a conclusion that RoboForm is secure, but later after re-evaluating and discussing all factors, attack vectors with Moore, we found that RoboForm may leak your private data to attackers.

1) BYPASSING ROBOFORM DEVICE PIN PROTECTION
pin password
The vulnerability disclosed by Paul Moore in the security of RoboForm affects its Android and iOS app users, which could allow anyone to bypass RoboForm’s PIN Protection in order to access users’ sensitive data.

RoboForm mobile apps offer a PIN protection which only protects the app interface from unauthorized access, just like Android’s popular ‘AppLock’ application.

Moore claimed that simply by deleting a specific line (pref_pincode) in the RoboForm’s preferences file placed in a folder on the device file system, It was possible for Moore to access confidential data and bypass authentication process on an Android device, even without the requirement of the Master Password, as shown in the Video demonstration uploaded by him.
The important point to be noted here is that the RoboForm’s app folder which Moore claims to access is actually placed in root directory of the device, which can’t be accessed by the user or any 3rd party app on a non-rooted device.

However, RoboForm team failed to reproduce the flaw and refused the bug report. “We are not able to replicate it. As I mentioned in the write-up, it's done using an emulator, not a real device. While it's feasibly possible, it's very unlikely that the average person finding a phone with RoboForm installed could execute the precise steps needed to do what Mr. Moore is doing with the emulator.” RoboForm team said.

Yesterday, when I also failed to reproduce it myself on my Android device, then Moore explained me that even after modification, the Roboform app loads the preference file from its cache. So either Roboform app or device requires to restart in order to bypass the PIN protection.

Finally, I tried again. After restarting my Samsung Galaxy S4, I found that Roboform app opened without asking any PIN. Cool! Moore’s vulnerability works.

The vulnerability is serious, because the Roboform app stores all my passwords, secret notes and payment card details in it, and PIN bypass cloud allow anyone in 5 minutes with my phone to steal all my sensitive data.
Additionally, our position is that if someone is able to root a phone, it's not just RoboForm that is vulnerable. Any other sensitive app would be vulnerable.” RoboForm team added.
For successful exploitation, the targeted device should be rooted or jailbroken, but it can be easily done by attackers on the stolen devices.

2.) PRIVACY LOOPHOLE: MASTER PASSWORD SECRECY
Moore believes that the company as a privacy loophole, allows them to store users’ secret master password on their server at Siber Systems. But before proceeding to the details of this loophole, you should first learn - How Roboform works.

After installing the Roboform app on Android or Windows system, it will ask you to either register or login with a RoboForm account. Once logged-in, you will get options to create or edit the payment card details, Notes and account passwords, etc.

The Mobile app or desktop software will then prompt the user to set a “Master Password” in order to encrypt the data with a strong military grade encryption. Company claims that the Master Password works like a private crypto key, used to encrypts files locally on the device and then app upload them to their server in .RFN format.

Moore claims that company stores the Master password, and asked on Twitter, "How do you decrypt online before returning the data if you don't get the key?", In Reply RoboForm said, "Paul, we decrypt the data locally, not on the servers."

Once done, the master password will get stored only on the device to automate the future encryptions and decryptions for the users’ convenience.

ROBOFORM WEB APP CAN STORE YOUR MASTER PASSWORD
Until here, Moore and me agree that the company is not capturing our private master password on the device apps or windows apps, but Roboform Everywhere also has online web app athttps://online.roboform.com/login?lang=en location.

Using this web app hosted on Siber System servers, users can login to their Roboform account and access the stored data from the web browser, as shown:
roboform online app
But before accessing the encrypted data, users are required to enter their master password in order to decrypt it, that means users are sending their master keys to Siber System servers and company is decrypting the data on their servers.

The above mechanism is completely opposite and conflicts with the company's policies, which claims that they do not store users’ master key on their servers, instead they decrypt the data locally on the users’ device.
The Server has the necessary key required to decrypt the data. Breaking the key into segments does nothing to increase security. Ultimately, it doesn't change the fact that at some point, the private key is no longer private.” Moore justified his claim.
At this moment neither I, nor Moore can proof that the company is saving your master key permanently after you once decrypt your data online via Roboform’s web app, but in this age of mass surveillance, where every company is gathering our information and damaging our privacy, it is hardly to trust on any company, like - “we get it, but we don't store it.

16 comments:

  1. In fact even if you have a job working for a company that
    you don't own. And what type of business model is best for students.
    Find something you are passionate about and capitalize on it.


    my site; ways to make money at ways to make money at home as a kid

    ReplyDelete
  2. If you are going for finest contents like I do, just go to
    see this web page all the time for the reason that it provides feature contents, thanks

    Feel free to visit my web blog :: lawyer; Lawyers.theppmattorney.com,

    ReplyDelete
  3. Hey I know this is off ttopic but I was wondering if you knew of any
    widgets I could add to my blog that automatically tweet my newest
    twitter updates. I've been looiking ffor a plug-in like tjis for quite some time
    and was hoping maybe you woild have some experience with something like this.
    Please let me know if you run into anything.
    I truly enjoy reading your blog and I look forward to your new
    updates.

    Here is my blog post americanairlines

    ReplyDelete
  4. Great info. Lucky me I discovered your blog by
    accident (stumbleupon). I have bookmarked it for later!



    My web page :: http://bestwoocommercethemes.blogspot.com/2014/05/great-advice-about-wordpress-that.html

    ReplyDelete
  5. People click on Ad - Sense ads when they want to know more about something
    that's a problem for them. There are several things to track:
    which keywords are converting, and which ones are wasting you money, what
    ads are performing well, and which are not, how your ads
    are doing at different price bids, etc. Many older people have a habit of holding onto their dishes and
    collections for quite sometime.

    Look at my weblog - earn money with google

    ReplyDelete
  6. Thatt is really intеresting, Yοu're a verу skilled blogger.
    ӏ ɦave joined yօur rss feed ɑnd stay
    սp for lookіng for exztra of yоur magnificent post. Additionally,Ӏ havе shared your site in my social networks

    my web blog :: Teenyweenyurl.com

    ReplyDelete
  7. If you desire to get much from this paragraph then you have to apply these methods to your won blog.



    My website: best Woocommerce theme

    ReplyDelete
  8. Hello Тhere. I discovered your blog using msn. Ƭɦiѕ is an extremely աell written article.
    І'll maκe surе to bookmark it and comе back to learn extra
    ߋf your usefսl info. Τhanks foг the post.

    I'll сertainly return.

    Also visit my webpage; Casino i Sverige

    ReplyDelete
  9. I alwаys սsed to read piece оf writing in nws papers bսt noԝ as I ɑm a
    user оf net thսs from noա І am usinng net for content, thanks to web.


    Αlso visit mƴ weblog: http://Www.wivesoffaith.org

    ReplyDelete
  10. Wіth havin ѕo mսch written content do you ever гսn into any issues of plagorism оr copyright violation? My blog Һas a lot of exclusive content I've еither
    authored mүself oг outsourced but it looks like а lot
    of іt is popping it սp all ߋver tҺe web withoսt my authorization. Ɗo you know any techniques
    to hеlp reduce content frօm being ripped off? I'd ɗefinitely aρpreciate it.


    ʟook аt my web blog Topplista villig nätcasinon

    ReplyDelete
  11. I do not evеn know the way I finished up heгe, ɦowever
    I believed tɦis pսt up was gߋod. І don't understand ԝhߋ үοu'гe but cеrtainly уou're going to a famous blogger
    if yߋu happen tο aren't alгeady. Cheers!

    Review mү website :: Leka kungen en Svenskt Casino

    ReplyDelete
  12. Hello! This іs mү 1st ϲomment hеrе so I just wanted to give a quick shout out and tell yoս Ι really enjoy reading through your posts.
    Can you recommend any other blogs/websites/forums tҺat cover tɦe same topics?
    Ƭhanks ɑ lot!

    Feel free to surf tօ my paցe Nytt gällande topplistan!

    ReplyDelete
  13. Hеllo there, I doo beliеve youг website coulɗ poѕsibly ƅe havingg browser compatibility issues.

    Ԝhenever Itake a loߋk at your blog in Safari, it lߋoks fine howеvеr when oрening in ІE, it has
    some overlapping issues. Ι simply ԝanted to provide
    ƴou with a quick heads սp! Apart from that, ǥreat blog!

    Also visit my website; Dale Rochester

    ReplyDelete
  14. Woah! I'm really digging the template/theme of this site. It's
    simple, yet effective. A lot of times it's hard to get that "perfect balance" between user friendliness and appearance.
    I must say you've done a great job with this. In addition, the blog loads extremely fast for me on Opera.
    Excellent Blog!

    Also visit my web page chaturbate tokens generator (http://www.cranefamily.us/)

    ReplyDelete
  15. Hi! ӏ know thіs is kinda offf topic neѵertheless ӏ'd figured I'd аsk.
    Wοuld уоu bee іnterested in exchanging linbks oor mazybe guest authoring ɑ blog post oг vice-versa?
    Μy blog covers a lot oof the samе subjects as yyours and ӏ think wе сould greatly benefit fгom each
    оther. If you might bbe interesteɗ feel free to send mе an e-mail.
    I lоok forward to hearing fгom you! Ԍreat blog bƴ thе way!


    Feel free to visit my weblog - phentermine

    ReplyDelete
  16. Thanks for the gоod writeup. It iin fɑct was a enjoyment account іt.
    Glance complex tο moгe added agreeable fгom you!
    However, how ϲould ѡe keeρ upp a correspondence?

    Ѕtop by my web blog phentermine 375

    ReplyDelete