Όσοι πιστεύουν ότι οι κωδικοί πρόσβασης που είναι αποθηκευμένοι στο Outlook είναι ασφαλείς για πρόσβαση σε λογαριασμούς IMAP θα πρέπει να το ξανασκεφτούν. Οι προγραμματιστές της Microsoft αποθηκεύουν τους κωδικούς πρόσβασης για την πρόσβαση σε λογαριασμούς IMAP του Outlook στο μητρώο.
The codes are indeed encrypted with DAPI, but can be decrypted in the system with an API call. This approach is used by tools (see at the end of the post) to determine the password.
For example, the key is:
HKLM\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9898CFF0885468d3B88A99567B2A6676
A simple call to the CryptUnprotectData() API can decrypt this value from the registry.
Wait, it gets even more interesting:
The Teams full-client cache also stores unencrypted passwords in the browser cache. The same is true for the Teams web client, which stores conversations unencrypted in the browser cache.
What we know about DPAPI
The acronym DPAPI stands for Data Protection API, and is a simple cryptographic application programming interface available as a built-in component of Windows 2000 and later Microsoft Windows operating systems.
In theory, the Data Protection API can symmetrically encrypt any type of data. In practice, it is mainly used in the Windows operating system for symmetric encryption of asymmetric private keys.
DPAPI does not store persistent data. It just takes plain text and returns it encrypted (or vice versa). The security of DPAPI depends on the ability of the Windows operating system to protect the master key and RSA private keys from attacks. This is highly dependent on the security of the end user's credentials in most attack scenarios. The master key for encryption and decryption is derived from the user's password using the PBKDF2 function.
From Microsoft there is this publication for DPAPI but there is also the book Threat Hunter which gives more details.
If you are interested, the tool DataProtectionDecryptor by Nirsoft uses DPAPI to decrypt passwords.
