UPDATE – Viber, a messaging and VoIP application similar to WhatsApp, is in the middle of patching a vulnerability that could allow an attacker to view sensitive information shared between users like images, videos and location information.
The problem is that information transferred by Viber is stored in an unencrypted format on its servers and doesn’t require an authentication mechanism to be retrieved from a client.
Researchers from the University of New Haven’s Cyber Forensics Research and Education Group (UNHcFREG) publicized the vulnerability this week after reportedly failing to hear back from the company when notified. Viber acknowledged this week that they are in the middle of committing fixes for the vulnerability in both its Android and Apple apps.
The vulnerability essentially means that whenever a user sends another user an image, video, location image or doodle – drawings specific to Viber – they could be sniffed or snooped by an attacker who can intercept the traffic. Messages on the app meanwhile appear to be safely encrypted.
In a description of the vulnerability, Ibrahim Baggili, an Assistant Professor of Computer Science at UNH and Jason Moore, a graduate research assistant at the university, point out that not only is the data on Viber’s Amazon servers unencrypted but it’s also not immediately deleted and can be easily accessed without authentication.
The researchers conducted their test by capturing mobile traffic via Windows 7’s virtual WiFi miniport adapter feature. While the host computer is connected to the internet through Ethernet, it shares its internet access with the adapter, turning it into a rogue access point. Researchers went on to capture and analyze the traffic through a handful of tools: NetworkMiner, Wireshark, and NetWitness.
Researchers actually found that by simply visiting the intercepted link in a web browser they could secure complete access to the data.
“Anyone, including the service providers will be able to collect this information,” the group warned Tuesday, “Anyone that sets up a rogue AP, or any man-in-the-middle attacks such as ARP poisoning will be able to capture this unencrypted traffic and view the images and videos received as well as the locations being sent or received by a phone.”
The images and videos stick around too.
Several days after they first conducted their test the researchers went to several links they used in their test and found the same images and doodles, under the same URLs, were still being kept on Viber’s server, accessible without authentication.
For now the researchers claim the vulnerability only affects the most recent version of the app for Android, 126.96.36.1992, released in March, and two phones: Samsung’s Galaxy S4 running Android 4.3 and the HTC One running Android 4.4.2.
In an e-mail Monday morning Frieda Aaronson, Viber’s Public Relations and Social Manager, confirmed that the issue has been resolved.
“It is currently in QA and the fix will be released for Android and submitted to Apple today,” she said, adding that as far as the company knows it isn’t aware of any individuals being affected.
Researchers from the same UNH group gained attention earlier this month when they dug up a similar bug in WhatsApp and publicized it last week. The team discovered that the app, like Viber, also broadcasted users’ location images in an unencrypted format that could be sniffed via man-in-the middle attacks.