A flaw in the RoboForm password manager’s pseudo-random number generator tied password generation to the computer’s date and time, making it possible to recreate passwords if the creation date was known. The vulnerability enabled Joe Grand, a famed hacker, to help a European cryptocurrency owner recover $3 million worth of Bitcoin after years of being locked out.
The saga began when Michael, who prefers to remain anonymous, lost access to his 43.6 BTC stored in a software-based digital wallet. Michael had originally protected his wallet with a 20-character password generated by the RoboForm password manager and secured the password file using TrueCrypt encryption.
Unfortunately, the encrypted file became uncorrupted, locking him of his substantial crypto holdings.
Michael reached out to Grand, who hesitated at first. However, Grand and his colleague Bruno tackled the problem after some time. They focused on reverse engineering the version of RoboForm that Michael had used in 2013.
Detailed analysis revealed a significant flaw in the RoboForm pseudo-random number generator, which tied password generation to the computer’s date and time.
By reconstructing the conditions under which Michael’s password was generated, including the parameters and time range, Grand and Bruno narrowed the possible passwords to a manageable number. They finally succeeded despite initial setbacks, including incorrect assumptions about the password’s parameters.
Interestingly, the flawed password generation method in older versions of RoboForm could still pose a security risk for other users. RoboForm’s maker, Siber Systems, confirmed they fixed the flaw with the 7.9.14 update in 2015 but did not provide detailed information on how the issue was addressed.
Grand expressed concerns that without proper notification to users, many might still be using vulnerable passwords generated before the fix.
“I’m still not sure I would trust it without knowing how they actually improved the password generation in more recent versions,” says Grand in an interview with Wired. “I’m not sure if RoboForm knew how bad this particular weakness was.”
Moreover, as noted by Wired, Siber Systems didn’t notify customers about the fix, so customers have no idea that they should generate new passwords. If anyone uses the same password that they used before the 7.9.14 update, their passwords are vulnerable.
“We know that most people don’t change passwords unless prompted,” explains Grand. “Out of 935 passwords in my password manager (not RoboForm), 220 of them are from 2015 and earlier, and most of them are [for] sites I still use.”
Users should change their passwords if they haven’t done it in a while to save themselves from this RoboForm flaw.
In the News: Pakistani cybercriminals target Indian defence and aerospace
