Unless you are a human supercomputer, remembering password is not so easy, and that too if you have a different password for each site. But luckily to make the whole process very easy, there is a growing market out there for password managers and lockers with extra layers of security.
But, if you are using the mobile version of most popular password manager from Password management company RoboForm to manage your passwords then you might be at a risk, claimed a UK based Security researcher.
I am personally using RoboForm from last few months, which is a great password manager application developed by Siber Systems Inc. for various platforms that stores your sensitive data all in one place, protected at RoboForm account and encrypted by a secret master password. RoboForm user be able to then quickly access those passwords and notes anytime, anywhere.
But a IT security consultant and tech enthusiast Paul Moore discovered one critical vulnerability in its app and one Privacy loophole in the RoboForm's service, that could allow attackers and prying eyes to get users’ personal data, including stored login credentials of various websites and payment card details.
Note: Yesterday we published this article with a conclusion that RoboForm is secure, but later after re-evaluating and discussing all factors, attack vectors with Moore, we found that RoboForm may leak your private data to attackers.
1) BYPASSING ROBOFORM DEVICE PIN PROTECTION
The vulnerability disclosed by Paul Moore in the security of RoboForm affects its Android and iOS app users, which could allow anyone to bypass RoboForm’s PIN Protection in order to access users’ sensitive data.
RoboForm mobile apps offer a PIN protection which only protects the app interface from unauthorized access, just like Android’s popular ‘AppLock’ application.
Moore claimed that simply by deleting a specific line (pref_pincode) in the RoboForm’s preferences file placed in a folder on the device file system, It was possible for Moore to access confidential data and bypass authentication process on an Android device, even without the requirement of the Master Password, as shown in the Video demonstration uploaded by him.
The important point to be noted here is that the RoboForm’s app folder which Moore claims to access is actually placed in root directory of the device, which can’t be accessed by the user or any 3rd party app on a non-rooted device.