A TEAMVIEWER VULNERABILITY LETS THE VIEWER BE VIEWED HIMSELF, OR VICE VERSA

A vulnerability in TeamViewer was discovered which could allow the server (viewer) to be viewed by the client or initiate a change of control if exploited by the viewer.

TeamViewer is a registered computer software package for remote control, desktop sharing, online meetings, web conferencing and file transfer between computers.  TeamViewer is used to let the client share his desktop to another computer, or to a team of computers, as the application name suggests.   TeamViewer, however, must be installed in all participating systems in order to function.

Prior to sharing, the client shares a pass-key which must be entered by the viewers to authenticate the connection.  After which, by exploiting the TeamViewer vulnerability, the client can, while sharing his desktop to the viewers, in return view the desktop of the viewers themselves without them noticing.  Simply, the vulnerability works by “switching sides.”

Otherwise, if such vulnerability is exploited by the viewer after authenticating the connection, the viewer can take control of the keyboard and mouse of the client disregarding current control settings and permissions.

This vulnerability affects versions running on Windows, macOS as well as Linux machines.

In unpatched systems or untrusted clients and servers, participants in TeamViewer sessions should first create a standard local user account which shall be used exclusively to connect to the session and safeguard the computer’s files irrelevant to the session.

As for systems which are under the user’s supervision, it is advised to apply the necessary patches and updates provided by TeamViewer to remedy such vulnerability.

 

Manny Cuevas

My name is Manny Cuevas a Security Researcher / Engineer for about 15 years that focuses on Web and Mobile applications and other platforms from the Island of Sulu, Philippines. I’m also a scientist, inventor and a top ranked hacker in the world that bypass all security systems.

 

Leave a Reply

Your email address will not be published. Required fields are marked *