Viber, a messaging and VoIP application similar to WhatsApp, is in the middle of patching a vulnerability that could allow an attacker to view sensitive information shared between users like images, videos and location information.
The problem is that information transferred by Viber is stored in an unencrypted format on its servers and doesn’t require an authentication mechanism to be retrieved from a client.
Researchers from the University of New Haven’s Cyber Forensics Research and Education Group (UNHcFREG) publicized the vulnerability this week after reportedly failing to hear back from the company when notified. Viber acknowledged this week that they are in the middle of committing fixes for the vulnerability in both its Android and Apple apps.
The vulnerability essentially means that whenever a user sends another user an image, video, location image or doodle – drawings specific to Viber – they could be sniffed or snooped by an attacker who can intercept the traffic. Messages on the app meanwhile appear to be safely encrypted.
In a description of the vulnerability, Ibrahim Baggili, an Assistant Professor of Computer Science at UNH and Jason Moore, a graduate research assistant at the university, point out that not only is the data on Viber’s Amazon servers unencrypted but it’s also not immediately deleted and can be easily accessed without authentication.
The researchers conducted their test by capturing mobile traffic via Windows 7’s virtual WiFi miniport adapter feature. While the host computer is connected to the internet through Ethernet, it shares its internet access with the adapter, turning it into a rogue access point. Researchers went on to capture and analyze the traffic through a handful of tools: NetworkMiner, Wireshark, and NetWitness.
Researchers actually found that by simply visiting the intercepted link in a web browser they could secure complete access to the data.
“Anyone, including the service providers will be able to collect this information,” the group warned Tuesday, “Anyone that sets up a rogue AP, or any man-in-the-middle attacks such as ARP poisoning will be able to capture this unencrypted traffic and view the images and videos received as well as the locations being sent or received by a phone.”
Viber begins fixing image-encryption vulnerability
The Android version of the messaging app no longer sends images and videos without encryption protection, and an iOS fix has been submitted, the company says.
Viber has added encryption measures to its messaging app for Android and iOS so that network eavesdroppers no longer can see or tamper with unprotected images, video, and messages about a user’s location.
The new Android version 220.127.116.11, released Tuesday, includes “enhancements to the way Viber handles photo, video and location messages,” according to the Viber page on the Google Play app store. The iOS version of Viber remains unchanged since its April 23 release, but Viber last week said it’s preparing a fix. On Wednesday, the company said the fix has been submitted to Apple.
Because images and videos are unencrypted by the earlier version of Viber, a user’s private messages aren’t actually private. Somebody with control over the network Viber is using can see and even modify them.