Yesterday we ran an editorial written by guest author Max Emelianov in which he discussed the recent TeamViewer security issues. TeamViewer has reached out to us to refute much of what Mr. Emelianov wrote in his editorial. In an effort to be fair and present our readers with both sides as they see it, we are publishing TeamViewer’s response for you to draw your own conclusions. What follows below are TeamViewer’s responses to Mr. Emelianov’s editorial.
The editorial is full of incorrect allegations including:
“…. a nasty vulnerability recently unveiled in Teamviewer”
- That is incorrect – after looking at the current information – we have no evidence for any structural vulnerability of our software.
- By the way: Thus far NOBODY has outlined any structural vulnerability of TeamViewer.
“At the end of last month, the company suffered a data breach which compromised scores of user accounts.”
- Again, that is incorrect: TeamViewer did not suffer a data breach. Our research suggests that the reuse of account credentials is the root cause of the problem many users had when their accounts were abused. That, however, is a problem that can jeopardize virtually any online service.
- Yet Whitelisting and Two Factor Authentication would have been effective features to help prevent cases of account abuse. Both features have been available to TeamViewer users for years.
“Almost simultaneously, the application’s network was disrupted by a massive denial of service attack.”
- The DoS attack came AFTER the allegations that accounts were supposedly hacked. So the course of events is a clear piece of evidence that the DoS attack could not have been the origin of the issues users reported.
“You’d work out how many people were compromised.…”
- We initially looked at the evidence at our disposal to get a clear picture. We believe that you first need to do proper research. What we we found is this: First of all, the number of account abuses is so small that by releasing this figure it would have sounded like we are trying to downplay the issue. The number we are now looking at is not even near 0.01 % of all TeamViewer accounts. However, we believe that one case is one case too many. So we decided to help users protect their accounts even better, and released two additional security features.
“… apologizing for putting their information at risk.”
- TeamViewer did not put anyone’s information at risk. Can you substantiate how we supposedly put anyone’s information at risk?
“TeamViewer has since admitted responsibility for the hack (sort of).”
- That is factually incorrect. TeamViewer has not admitted to a hack and we still have no evidence for a hack at our end. We acknowledged cases of account abuse, and underscored we have reason to believe that the reuse of account credentials is the root cause of this problem.
“This is in spite of the fact that many users reported attackers bypassing their two-factor authentication.”
- We proactively reached out to those users who claimed our TFA had been compromised. First of all, only a very limited number of those users sent us their log files. Second of all, in the log files we have received, we have thus far not found any evidence that our TFA has been breached.
What do you think of TeamViewer’s response? Let us know in the comments below or on Twitter, Facebook and Google+.