Full Disclosure mailing list archives

Re: Discussion: Teamviewer "Feature" or "Bug"?

From: Dave Warren <davew () hireahit com>
Date: Thu, 08 May 2014 11:18:03 -0700

On 2014-05-08 02:00, HHeilemann () meko-s de wrote:

today i remote-controlled a device with teamviewer. This is not very
special. But: with me connected was another person (technican) from another
company. He did some maintenance work on the device and me i simply
followed him.

Now, here comes the issue:
the technican copies with STRG+C and STRG-V some passes between his client
and the managed device.
I did nothing, exept opend a notepad on my computer and hit STRG+V several
times.

Guess what: his clipboard entries was shown in my notepad.

So: Is this a Feature or a Security Bug?

I'd argue feature, although one that can potentially be exploited if youobserve someone copy/paste a password. I've inadvertently captured auser's password with local clipboard monitoring software afterTeamViewer, so I can certainly understand the potential risk ofinformation leakage.

On the flip side, this is a *very* useful feature. Ideally it would havea "Share clipboard with remote side? (Yes, no, for this session,always)" dialog the first time someone modifies the clipboard whileTeamViewer is being used to give users some level of control.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren



_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

Discussion: Teamviewer "Feature" or "Bug"? HHeilemann (May 08)
- Re: Discussion: Teamviewer "Feature" or "Bug"? Prototype This (May 08)
- Re: Discussion: Teamviewer "Feature" or "Bug"? Keith I Myers (May 08)
- Re: Discussion: Teamviewer "Feature" or "Bug"? Dave Warren (May 08)