Security Researchers Recover Lost BTC Password Using Roboform’s Vulnerability
- A man named Michael lost the password to a Bitcoin wallet that held tokens worth $3 million. The password was created in 2013 with RoboForm's random password generator.
- Thankfully, two security researchers were able to help him out by using a vulnerability in the old version of the password generator.
- The vulnerability has now been fixed but only passwords created after 2015 will be secure after the update.
In a bizarre new case, two security researchers have managed to crack a password that was lost for over 11 years, recovering bitcoins worth $3 million.
The owner of the wallet, Michael, shared the incident in a video and said: I generated the password, I copied it, put it in the passphrase of the wallet, and also in a text file that I then encrypted."
However, he lost the passcode when the encrypted part of his computer that contained the password became corrupted. And since it was a random password generated by RoboForm's password generator, there was no way he could recall it.At the time, the lost bitcoin was only worth a couple of thousand euros, so he let it go with a heavy heart. However, this incident dates back to 2013 and a lot has changed since then.
The value of his Bitcoins have swelled by 20,000 percent, making him reach out to security researchers to help recover the money.
He contacted Electrical engineer Joe Grand (also known as Kingpin), who initially refused the job. He then agreed after he was able to come up with a novel method to hack the initial password generator.
Michael now retains about $2 million worth of Bitcoins, which he plans to hold on to until each token is worth $100,000.Grand teamed up with his colleague Bruno and used a reverse engineering tool developed by the US National Security Agency (NSA) and disassembled the password generator's code to get the password.
After the job was done, a portion of that Bitcoin went to Grand and Bruno, and another small part of it was sold off.
Talking about the incident, Michael also added that in a way he is grateful he lost his password. Otherwise, he might not have held onto these tokens for this long. Yikes!
RoboForm's Outdated Password GeneratorWhile this incident was a win for Michael, it also sheds light on how vulnerable RoboForm's password generator is. Ideally, it's supposed to create a new and unique password every single time, but apparently, that's not the case.
While cracking this password, Grand learned that if you can control the time, you can control the password it creates. In simple terms, if they can make the generator feel it's still 2013, it will create the same password. So that's what they did.Since they didn't know the exact time when the password was created, the duo generated millions of passwords with regards to that particular time period and were eventually able to crack it.
It's important to note that this vulnerability has been fixed now. So, any password that was created after 2015 using RoboForm's password generator cannot be hacked with this time-based approach.
A Bit about RoboFormRoboForm is one of the best password managers around with an industry experience of 20 years. With over 6 million individual users and 40,000 business users, RoboForm is a trusted name with an impeccable track record.
It has never been involved in any data breaches in the past. And even though there have been vulnerabilities (like the one discussed above), all of them have been fixed by their security experts in due time.
As we've mentioned in our detailed RoboForm review, the platform uses industry-standard AES-256-bit encryption protocol and features like secure password sharing, safety assessments, web monitoring, and two-factor authentication.
RoboForm is budget-friendly, too, with plans starting at just $2.49/month. Not only that, but there's also a stripped-down free plan with enough features for basic protection.
The post Security Researchers Recover Lost BTC Password Using Roboform's Vulnerability appeared first on The Tech Report.