Viber vulnerable to MITM attack, million users at risk

April 24, 2014  By Pierluigi Paganini


Fb-Button

Security researchers at UNH Cyber Forensics Research & Education Group have discovered a serious flaw in Viber messaging and voice system.

Mobile app security is one of principal concern for security experts, exploiting flaws in most popular application like WhatsApp, Flickr or Viber hackers could expose data of million end users.
Last week a group of researchers at UNH Cyber Forensics Research & Education Group discovered a vulnerability in WhatsApp “Location Share” feature which exposes user’s location to the attackers.
The same group examined another popular messaging app, Viber, finding that it lacks an implementation of security best practices threatening the privacy of more than 150 million users.
Viber application, available for Android, iOS, Windows Phone, Blackberry and Desktop, provides a free voice calling service to its users, and it also allows them to share text messages, videos and their position.

The researchers discovered that users’ data is stored in an unencrypted form on the Viber Amazon Servers. According the researchers images and videos of any Viber user could be easily accessed without any authentication, an attacker can simply intercept a link from Viber, in a classic MITM attack scenario, users to access victim’s data.
In the following image is reproduced a typical attack scenario on Viber user, it is easy to understand that an attacker can use any network testing tool available on the market, such as NetworkMiner, Wireshark, and NetWitness, to sniff the Viber traffic.

Anyone, including the service providers will be able to collect this information – and anyone that sets up a rogue AP, or any man-in-the middle attacks such as ARP poisoning will be able to capture this unencrypted traffic and view the images and videos received as well as the locations being sent or received by a phone.” said Professor Ibrahim Baggili and Jason Moore .

Viber attack scenario
In a video, the researchers demonstrated that Viber is not encrypting any data such as images, doodles, videos and location images while exchanging it with their Amazon server, that allows an attacker to capture this unencrypted traffic with man-in-the middle attack.
The main issue is that the above-mentioned data is unencrypted, leaving it open for interception through either a Rogue AP, or any man-in-the middle attacks. 
The researchers have written a blog post to invite users to stop using Viber until the company will fix these private issues.
The experts have ethically reported the flaw to Viber security team, in time I’m writing they still haven’t received any response.
Let’s see what happen meantime, put your privacy at first place!

(Security Affairs –  Viber, privacy)



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like







More Story

NIST removes Dual_EC_DRBG algorithm from Draft Guidance suggesting to abandon it

 The NIST announced it will request final public comments before Dual_EC_DRBG generator is officially removed from NIST Special...