![]() ![]() injected DLL, UI hooks, other misc memory hooks, etc). It works essentially the same way as their current method, but Windows is responsible for protecting the encryption key (and has a broker than can house it at a higher privilege level).īut ultimately if you have a process running in the user's context and can manipulate the TeamViewer client, you can bypass the Data Protection API pretty trivially (e.g. One potential upgrade might be to use Windows' Data Protection API. Storing it in the user's registry hive instead of a higher privilege allows the TeamViewer client to run in the user's context, instead of needing to run as administrator, have a broker, or similar. It is still marginally better than storing the actual plain text even if it is security through obscurity (using a hard-coded key in this case). Using reversible encryption is unavoidable, because they ultimately need plain text to send to the TeamViewer remote service. The rules that apply to servers/services aren't the same as those for clients/saved logins. A hashed password cannot be stored, otherwise that hashed password becomes the plain text password anyway (essentially destroying any benefit hashing would have here). ![]() When the user hits "save password" on the client-side, the client needs to save the actual (plain text) password in order to replay it for future logins. ![]() They're doing nothing too wrong, the person criticising them doesn't understand basic computer security. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |