Critical TeamViewer credential storage vulnerability; billions of devices affected

According to an information security report, TeamViewer, the popular remote access tool, presents a serious vulnerability in the way its users’ access credentials are stored. Exploiting these flaws would allow threat actors with really limited privileges to copy data or schedule tasks on the target system. The security flaw has been tracked as CVE-2019-18988.

The report was prepared by an anonymous researcher, who claims it was on the website of one of his clients. Once there, the researcher found activity that led him to believe there was a shared key throughout TeamViewer that would support the claim of the registry keys where is involved. In the end, it couldn’t compromise the client in time, but TeamViewer’ registry keys actually stayed with it. That’s where this security issue begins.

To continue their research, the expert tried to find the installer for the exact same version of The TeamViewer registry keys; then the researcher configured a virtual machine to install TeamViewer on it.

It turns out that the OptionsPasswordAES registry key is intended to keep unauthorized people out of the menu where settings can be changed. Although the information security expert was unaware of the password, they downloaded BulletPassView, which after running on the virtual machine returned a password in plain text. Thanks to this, the researcher was able to return to the options page and access the second part of the TeamViewer menu.

Subsequently, the researcher found information on how to search the memory of the target device with Cheat Engine, which he decided to install on the virtual machine. Finally, the expert found the password from the options menu stored in plain text in memory.

The vulnerability was reported to developers of the Remote Access Tool, who began a process of investigating and fixing security bugs. Investigation into this flaw has not yet been completed, although computer security experts highly anticipate that threat actors have managed to exploit the vulnerability in real-world scenarios.