• Welcome to Valhalla Legends Archive.
 

RoboForm users

Started by Noodlez, March 30, 2004, 08:22 PM

Previous topic - Next topic

Noodlez

*Disclaimer* What you do with this information is not my problem :)
This is a message for those of you who use RoboForm or anything similar.
Today I was exceptionally bored, and decided to deleted unused folders. I came across a folder entitled "My RoboForm Data" naturally, I wanted to see what was in there. (Out of order note: I used Roboform for a day, after being annoyed with it I uninstalled it.)

So in the folder, there is a subfolder (your windows account name) containing all of your saved passwords/credit card information (encrypted, of course.) I decided to see if I could crack them. I came across a neat little file explaining what file type contains what information, conveniently titled "RoboFormDataHere.txt"
(The contents of that document.)

  RoboForm User Data Folder
  -------------------------

This is RoboForm User Data folder.

This folder contains your Identities and PassCards.

Identity is a file that has *.RFT extension.

PassCard is a file that has *.RFP extension.

If you need to back up Identities and PassCards
backup all files in this folder.

If you need to restore Identities and PassCards
copy backed up files to this folder and restart RoboForm.


Upon inspecting all of my .RFP files, I began noticing a pattern. For certain websites where I use the same password, the encrypted text was *exactly* the same.

Right above the encrypted text was:

URL3:ver1:http://thewebsiteforwhichthedatawassaved



You see what I'm getting at?
I reinstalled RoboForm to see if I could confirm my suspicions. Creating a new .RFP file with a pasted encrypted password, I added

URL3:ver1:http://forum.valhallalegends.com


Guess what? My username and password were filled in correctly.

This is obviously a potential security flaw which could be exploited.
My recommendations to those who use this program:
* Noodlez wonders why there is no bulleted list YaBBC

-Use a different password for every site. (You won't need to remember them anyway!)
-Uninstall RoboForm. Who the hell forgots passwords? I only installed it to fill in my CDKey on BNet forums.
-Write a letter to the creators of RoboForm instructing them to encrypted the URL of which a password is linked to.

It is safe to assume that all of the passwords are encrypted using the same key. Anyone with enough motivation could easily find the key and do some pretty nasty thing.

Noodlez

After further speculatoin, it appears upon installation RoboForm asks for a "passcard" this passcard is then hashed and used as a key to encrypted all further data. Still tracking down the location of the hashed passcard, once this is found, RoboForm will no longer be the security beast it claims to be.

*Taken from their website*
Quote
RoboForm.
1. RoboForm stores your personal info in a known place on your computer and nowhere else. Once you delete RoboForm User Data Folder, all your confidential data is gone with no trace left.
2. You can backup and restore RoboForm User Data Folder easily.
3. If you password-protect your Passcards and Identities, nobody will be able to read them. Even if a hacker manages to steal your Passcards from your computer, he will then have to crack the DES encryption used in your Passcards and Identities, and DES is nearly impossible to crack.
They fail to mention that simply retreiving the key is much simpler then cracking the actual data.