Tuesday, November 03, 2009

TeamViewer Session Hijacking (FireWall Info)

Helpful information about "http://www.xtremecomputer.com/articles/view_article.asp?v=59".

If you are a TeamViewer user or a business that uses TeamViewer to remotely connect to computers online you should read this and follow a few simple checks to make sure what happened to me doesn't happen to you.

TeamViewer Server seems to have been hacked and the hackers are picking up on the Session ID's.

In my Case it was 2 outside connections during my TeamViewer Session with a friend.
Both attempted to access my computer and my friends computer.
Because I was running an old version of TinySoftware I noticed the connection attempt and noted who and where it was. On the remote system it was only running Sunbelt Personal Firewall which allows TeamViewer to pass without even a challenge.

If I didn't see it for myself I might not have believed it but this is what the person did while I was watching.

They moved the remote mouse to minimize the screens to display the TeamViewer information. They highlighted the Session ID and with a Right Click I saw them Copy the session ID. (It was interesting that they didn't use key commands. )

Next I pulled up Notepad and typed "WHO ARE YOU?"
They minimized it and went to the machine name.
I restarted the remote computer before they could continue.

This experience had me up in arms and deleted the TeamViewer from all my systems and emailed my friend to remove it.

The weak link is their own server which has to be the way they knew about the connected computers.

Good luck if you still use it. I would recommend getting a firewall that blocks TeamViewer that allows you to select a single IP address. With that you can control just how many others connect during your session. But unless both computers have the same firewall strength one of you might not be safe.

in reference to: http://www.xtremecomputer.com/articles/view_article.asp?v=59 (view on Google Sidewiki)

No comments: