Grand and Bruno created a video to explain the technical details in more detail.
RoboForm, made by US-based Siber Systems, was one of the first password managers on the market and It currently has more than 6 million users. worldwide, according to a company report. In 2015, Siber appeared to fix RoboForm’s password manager. In a quick look, Grand and Bruno couldn’t find any sign that the pseudorandom number generator in the 2015 version was using computer time, which makes them think they removed it to fix the flaw, although Grand says they would need examine it. more thoroughly to be sure.
Siber Systems confirmed to WIRED that it fixed the issue with RoboForm version 7.9.14, released on June 10, 2015, but a spokesperson did not answer questions about how it did so. in a Change Log On the company’s website, it only mentions that Siber programmers made changes to “increase the randomness of generated passwords,” but does not say how they did it. Siber spokesperson Simon Davis says “RoboForm 7 was discontinued in 2017.”
Grand says that without knowing how Siber fixed the issue, attackers can still regenerate passwords generated by versions of RoboForm released before the fix in 2015. He’s also not sure if current versions contain the issue.
“I’m still not sure I would trust it without knowing how they actually improved password generation in more recent versions,” he says. “I’m not sure if RoboForm knew how serious this particular weakness was.”
Customers may also continue to use passwords that were generated with early versions of the program before the fix. It does not appear that Siber notified customers when it released the fixed version 7.9.14 in 2015 that they needed to generate new passwords for critical accounts or data. The company did not respond to a question about this.
If Siber did not inform customers, this would mean that anyone like Michael who used RoboForm to generate passwords before 2015 (and still uses them) may have vulnerable passwords that hackers can regenerate.
“We know that most people don’t change passwords unless prompted,” says Grand. “Of the 935 passwords in my password manager (not RoboForm), 220 are from 2015 and earlier, and most are (for) sites I still use.”
Depending on what the company did to fix the issue in 2015, newer passwords may also be vulnerable.
Last November, Grand and Bruno deducted a percentage of bitcoins from Michael’s account for the work they did and then gave him the password to access the rest. Bitcoin was worth $38,000 per coin at the time. Michael waited until it rose to $62,000 per coin and sold some of it. He now has 30 BTC, which is now worth $3 million, and is waiting for the value to increase to $100,000 per coin.
Michael says he was lucky he lost the password years ago because otherwise he would have sold the bitcoin when it was worth $40,000 a coin and would have missed out on a bigger fortune.
“Losing the password was a good thing financially.”