TeamViewer never change temp password after the remote session

Options

Hi, i recently discover once i give my ID and temp password for a remote session, at the end of that the passwoprd still be the same. When other person connect to my PC no alert ask to me to allow the connection so I suppose... If i go out from my PC the other operator can connect again to my remote PC without any consent and will have full access to my machine.

This seems to be a security issue.

 

By default was not selected to change password every session end so i belive default settings has a potential security issue. Please check.

Tagged:

Best Answer

Answers

  • peopleinside
    peopleinside Posts: 21 ✭✭
    Options

    Hi Esther, thank you very much for your reply!
    I hope your day is going weel and I'm happy to read you.

    I agree with you, reccomandations should be to set the randoom password so why as default TeamViewer is not using this settings?

    Thanks for passing this to the team, I think is important.
    I faced again issues on posting in community, this many month ago and also in those days... so I contacted your company by Facebook. Now seems I can post again but your community seems have issue too for member like me. Every time I need support here I loose my post because of errors on posting :)

    SharedScreenshot.jpg

     

    Again thanks for your help.

  • Esther
    Esther Posts: 4,051 Former Community Manager
    Options

    Hi @peopleinside 

    Sorry to hear you had issues posting on the community.

    I think I need to check with our vendor why this happens to some of our users every now and then.

    Have a great Friday,

    Esther

    Former Community Manager

  • peopleinside
    peopleinside Posts: 21 ✭✭
    Options

    Thanks Esther. Have a great Friday and week end too!

    Yes you should contact your community platform support ;-)

  • peopleinside
    peopleinside Posts: 21 ✭✭
    Options

    Recently I installed some Windows PC with Team Viewer.

    I never customize settings.

    Seems the default settings is insecure. You have a good guide about security so why by default the temp password never change after the session end?

    For me this is a situation where the default settings can create a security issue and vulnerability because I give the temp password to a support team, they end his session, I leave my PC and they still be able to connect after many different hours.

    Why as default you don't change the temp password?

    TeamViwer 15.15

  • peopleinside
    peopleinside Posts: 21 ✭✭
    edited March 2021
    Options

    Why I need set manually this and is not default settings?


    Do you have a new community? I opened a new discussion never found this one; seems I cannot delete it.

    ---

    Source: https://community.teamviewer.com/English/discussion/112541/why-team-viewer-doesnt-use-secure-settings

    Recently I installed some Windows PC with Team Viewer.

    I never customize settings.

    Seems the default settings is insecure. You have a good guide about security so why by default the temp password never change after the session end?

    For me this is a situation where the default settings can create a security issue and vulnerability because I give the temp password to a support team, they end his session, I leave my PC and they still be able to connect after many different hours.

    Why as default you don't change the temp password?

    TeamViwer 15.15

    ---

    I still see this issue not resolved, why the secure settings to change the temp password after a session is not set by default?


    Also changing manually the setting by selecting in the menu to generate a new temp password, if I start a test session than close it the password is changed but I still be able to connect with the old temp password. Seems security is not working well, I feel not safe.

    Sorry I tried to do the screenshot in English but was unable to change the language


  • peopleinside
    peopleinside Posts: 21 ✭✭
    Options

    Also changing manually the setting by selecting in the menu to generate a new temp password, if I start a test session than close it the password is changed but I still be able to connect with the old temp password. Seems security is not working well, I feel not safe.

    Sorry I tried to do the screenshot in English but was unable to change the language


  • peopleinside
    peopleinside Posts: 21 ✭✭
    Options

    Not changing the temp password after a session by default is also bad for who use Team Viewer without installing it: in this case you cannot customize the password change and if you have a remote session that end and you leave the PC with Team Viewer still opened, the other person are able to take control of the PC.

  • peopleinside
    peopleinside Posts: 21 ✭✭
    Options

    Is really nice to see there are no support and no replies.

    This made me think the security issue I feel is not so false and no one seems take care.

  • peopleinside
    peopleinside Posts: 21 ✭✭
    edited April 2021
    Options

    By default Team Viwer

    1. doesn't change the temporary password after a remote session
    2. doesn't require, with a pop up window, to allow the remote connection once the temporary password is used

    This two choices made by default by the program to create, on my point of view, two security vulnerability.

    The first is done by me thinking after a remote session ends I'm secure but is not because I can leave the PC and without I know it the other interlocutor can connect again with a full access to my unmonitored device. In this situation data can be stolen or erased because no one is on the monitor to check or stop this.

    For made an example Google Remote Desktop require every time a different temp password that stop to work after be used or after a long inactivity, this avoid anyone to connect to our PC without we don't know it. Allowing a temporary password to work until the PC is not restarted or until user never ask to the program, manually, to change the temporary password creating a situation that can be exploited.

    For resolve this situation user have to remember to change every time the temporary password but also to change it in the case it give the temporary password but for some reason the other person did not connected to our device maybe telling us internet connection was not working, etc. The risk is we can leave the PC, forget someone know now our temporary password and without any other permission needed, are able to connect to our device.

    The first point can be solved going in the Team Viewer settings and activating the relative option to change the temporary password after a remote session. This will not resolve the case where we can give to someone our temporary password and no connection are done. If we do not change the password and leave the PC we can be exposed to an attack. This can be possible when we found a person that are interested in stealing or damaging our device informations and invent a situation than wait we forget about this and leave the PC to take full control.

    [quote]

    Random Password after each session

    You can select whether or when you would like Team Viewer to generate a new random password for incoming sessions. 

    Under Extras --> Options --> Advanced--> Under Advanced settings for connections to this computer --> Random password after each session --> Choose your option --> Click OK

    [/quote]

    Team viewer guide: https://community.teamviewer.com/English/kb/articles/28442-all-about-passwords

    The second point where no pop up windows require permission to remote connect to our device when a temporary password is used, I think it cannot be actually resolved. I don't see any option to require authorization when the temporary password is used.

    Actually I reported this issue to the privacy address of the Team Viewer team. All users should change their settings to avoid the temporary password to be not changed after a remote session and also having to consider once someone know the temporary password are able to connect to our device without any additional permission needed.

    I suggested to the Team Viewer team to change as soon possible this default settings to be more secure in particular:

    • To change, by default the temporary password after all remote session
    • To show always a pop up windows that ask to confirm the connection to a remote device when the temporary password is used

    I have no guarantee the Team Viewer team will care about my report. I'm trying to see security improved by different months but is not easy for a free user get support or report issues.

    Actually seems users need a webinar or a school to be secure with the Team Viewer default settings, on my point of view. Is important so to change the program settings to be more secure and always remember actually there is no pop up that asking for permission once the temporary password is used or someone know it. The only way to secure the account is to change the temporary password and to keep it secret and also change after a remote session or after someone get it and never connect immediately to our device.

  • JeanK
    JeanK Posts: 7,015 Community Manager 🌍
    Options

    Hello @peopleinside,

    The dynamic password is set by default as keep current, to cover up the reconnect use case. Should this change, the user would have to provide the password again to the supporter. This password changes anyway when the TV service restarts or when the machine is rebooted (which is effectively the same action).

    However, you have a point. This is why we will take this internally and it will be discussed.

    Community Manager

  • peopleinside
    peopleinside Posts: 21 ✭✭
    edited April 2021
    Options

    Hi @JeanK finally I was able to get an answer here and to the privacy email address.

    I'm also pretty sure to have reported this issue in the past.

    I understand your point but I think is not a good point especially considering security and how many attacks and vulnerability are discovered today and affect Internet.

    If an user have issue on reconnection should be maybe leaved free to select less secure settings but when this is done will be under user responsibility. Maybe an Tip alert should be written near this settings when user will decide to have the default situation you have now.

    Also if connection is lost, I don't see any big issue on giving a new temporary password. If user have a different needs can always decide maybe to customize settings to don't ask any permission and to not seeing temporary password expire after a session but this will expose to potential security issue that actually seems to be the default situation for all new install and this is bad.

    Thanks for considering this, I really hope will be discussed but if you will not recognize this as potential security and vulnerability, I think you do a big mistake and blogs, websites should start to talk about this and sharing how to be protected by this kind of attack.

    I feel to be more safer with Google Remote Desktop actually just because it give all security features I mentioned: no one can easily connect without your consent and without you know it. Actually Team Viewer, on my point of view, can allow remote unauthorized connections due to the mechanism I wrote.

    I discovered this after keep for different time week Team Viewer settings because I was not aware about this situation where a temporary password will be just changed when the PC is restarted and you don't know when will be.. this is valid for private but also more on business.

    Security should be at first place, on my opinion. You can of curse leave to the user the choice to use more comfortable settings by exposing to security vulnerability I mean a weakness situation but should be the user that take this responsibility and not the default settings applied to anyone that install Team Viewer on Windows.

    The temporary password that never change after a remote session is not the only one problem; as I told also never ask with a window permission to connect when a temporary password is used is another situation that can cause weakness.

    For example an attacker can find a situation where is available to give support, ask and is informed about the temporary password than can tell he is not able to connect, can maybe use another remote program, end the session than try to connect after an hours or after some several minutes to the Team Viewer where the temporary password has not been used. As Team Viewer is not requesting other permission allowance by a pop up window, the attacker can take full control of the PC while the person is away from the device.

    I really hope you will seriously consider this true situation and improve, if not will be useful website start to talk about needed settings edit on every Team Viewer installation to prevent weakness and potential security issue.

    You know, you don't have always in mind to change the temporary password after a session especially because in **bleep** you don't need to do this. The issue is only on Team Viewer.

    Thank you.