![]() The SecurityPasswordExported value which is the password they successfully decrypted with this key isn't stored in the registry under normal circumstances (you *might* be able to catch it there during installation or before the first launch depending on how the client imports it). reg file can also be decrypted with this key, but the password can not be pulled directly from the registry as long as you're running version 10+.Īnd on the latest version of Teamviewer 14 as long as the SecurityPasswordExported key is available.Ī rather important note that the author glossed over: reg file bundled with the MSI, then the password stored in that. ![]() On a machine running a TeamViewer v9- the unattended access password can be pulled from the registry and decrypted with this key.įor v10+ if you are mass deploying TeamViewer via MSI and you are setting the unattended password using a. In the case of FileZilla they have less choice when it comes to this because they control neither the server nor the protocol (they can still do better though) while TeamViewer can design the whole thing from the ground up (plus taking care of backward compatibility I guess).ĮDIT: Per comments below, the issue as described by the researcher only works on version 9 & older. ![]() It's arguably better than encrypting with a fixed known key because it doesn't give you a false sense of security at least. For example, FileZilla stores your FTP login credentials (to connect to remote servers) base 64 encoded in an xml file in your home directory. There are other apps that kind of do the same thing. Or even using an authentication mechanism that doesn't require storing a password at all.Īgain, I'm not sure but that's how I understood it. There are many better solutions to this of course, like storing your passwords in the OS "keychain"/"agent" or having a master password. So they can't use hashing because it's non reversible and you need the actual password to authenticate with the server when you connect. So the use case here is more of a "remember me on this computer" vs "store the passwords of all users in a database", in which case the decision kind of makes sense. Correct me if I'm wrong but it seems it's the client side storage that's using encryption.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |