[German]Another little hint on Sunday. Microsoft's developers store the passwords for accessing IMAP accounts for Outlook in the registry. Is indeed DAPI-encrypted, but can be decrypted in the system with an API call. This approach is also used by tools to determine the password.
Advertising
Those who think that passwords stored in Outlook are safe for accessing IMAP accounts should reconsider. The information came to my attention some time ago in this tweet and I came across it again while going through my list of links.
The statement: IMAP passwords exist in the registry at Outlook in DPAPI-encrypted form. For example, the key is:
HKCU\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
In the tweet, mgeeky writes that a simple CryptUnprotectData() API call can decrypt this value from the registry.
In a reply tweet, FU Weissinger writes that the Teams full-client cache also stores unencrypted in the browser cache. The same is true for the Teams web client, which stores chats unencrypted in the browser cache. They no longer allow Teams on unmanaged clients – and I had recently pointed out the problem in the post Microsoft Teams stores authentication tokens as plain text in Windows, Linux, Macs.
Additional information about DPAPI
The acronym DPAPI stands for Data Protection API, a simple cryptographic application programming interface available as an integrated component in Windows 2000 and later versions of Microsoft Windows operating systems. In theory, the Data Protection API can symmetrically encrypt any type of data; in practice, it is primarily used in the Windows operating system for symmetric encryption of asymmetric private keys.
Advertising
DPAPI does not store any persistent data itself; instead, it simply receives plaintext and returns ciphertext (or vice versa). The security of DPAPI depends on the ability of the Windows operating system to protect the master key and RSA private keys from compromise. This is highly dependent on the security of the end user's credentials in most attack scenarios. The master key for encryption and decryption is derived from the user's password using the PBKDF2 function.
From Microsoft there is this post on DPAPI, and this post from the Threat Hunter Playbook discusses more details. Won't interest a normal user, but tools like Nirsoft's DataProtectionDecryptor use DPAPI to decrypt passwords.
DataProtectionDecryptor, Quelle: Nirsoft
