Monday, 7 July 2014

Critical Vulnerability and Privacy LoopHole Found in RoboForm Password Manager

Critical Vulnerability and Privacy LoopHole Found in RoboForm Password Manager Unless you are a human supercomputer, remembering password is not so easy, and that too if you have a different password for each site. But luckily to make the whole process very easy, there is a growing market out there for password managers and lockers with extra layers of security.

But, if you are using the mobile version of most popular password manager from Password management company RoboForm to manage your passwords then you might be at a risk, claimed a UK based Security researcher.

I am personally using RoboForm from last few months, which is a great password manager application developed by Siber Systems Inc. for various platforms that stores your sensitive data all in one place, protected at RoboForm account and encrypted by a secret master password. RoboForm user be able to then quickly access those passwords and notes anytime, anywhere.

But a IT security consultant and tech enthusiast Paul Moore discovered one critical vulnerability in its app and one Privacy loophole in the RoboForm's service, that could allow attackers and prying eyes to get users’ personal data, including stored login credentials of various websites and payment card details.

Note: Yesterday we published this article with a conclusion that RoboForm is secure, but later after re-evaluating and discussing all factors, attack vectors with Moore, we found that RoboForm may leak your private data to attackers.

1) BYPASSING ROBOFORM DEVICE PIN PROTECTION
Critical Vulnerability and Privacy LoopHole Found in RoboForm Password Manager
The vulnerability disclosed by Paul Moore in the security of RoboForm affects its Android and iOS app users, which could allow anyone to bypass RoboForm’s PIN Protection in order to access users’ sensitive data.

RoboForm mobile apps offer a PIN protection which only protects the app interface from unauthorized access, just like Android’s popular ‘AppLock’ application.

Moore claimed that simply by deleting a specific line (pref_pincode) in the RoboForm’s preferences file placed in a folder on the device file system, It was possible for Moore to access confidential data and bypass authentication process on an Android device, even without the requirement of the Master Password, as shown in the Video demonstration uploaded by him.
The important point to be noted here is that the RoboForm’s app folder which Moore claims to access is actually placed in root directory of the device, which can’t be accessed by the user or any 3rd party app on a non-rooted device.

miniLock - Open Source File Encryption Tool from CryptoCat Developer

miniLock - Open Source File Encryption Program from CryptoCat Developer
It’s the age of surveillance what made the Use of Encryption so widely that it has become a need of law enforcement agencies, cyber criminals as well as every individual. But, encryption is not so easy.

To solve this problem, a 23-year old Cryptocat developer Nadim Kobeissi is ready to release a simple solution to deliver strong encryption at the HOPE hacker conference in New York later this month, which may soon come as an extension for Google Chrome web browser, Wired reported.

The encryption program is dubbed as miniLock, which is a free and open-source browser plugin designed to let anyone encrypt and decrypt files in seconds using a drag-and-drop interface with practically unbreakable cryptographic protection.
The tagline is that this is file encryption that does more with less,” says Kobeissi, activist and security consultant. “It’s super simple, approachable, and it’s almost impossible to be confused using it.