Viber Vulnerable To Man In The Middle Attack (MITM)


So this week, researchers at the University of New Haven have been focusing on Viber and have found that pretty much everything transferred and stored on the Viber service, except the messages themselves is not encrypted either in transit or at rest (doodles, images, location data & videos).

The implication of this is that the lack of encryption leaves Viber vulnerable to sniffing/snooping or MITM attacks via a rogue AP, a telco network or anyone else that can see the traffic in the pipe.

Viber Vulnerable to MITM

The same team published a similar WhatsApp location bug (the location image is sent unencrypted) last week on Youtube – WhatsApp Location Bug/Vulnerability.

Popular Whatsapp-like messaging service Viber is exposing users to man-in-the-middle and other attacks because it isn’t encrypting various data at rest and in transit, security researchers have warned.

The mobile app allows users to send each other messages, videos, images and “doodles”, share GPS location details and make voice calls.

However, researchers at the University of New Haven Cyber Forensics Research and Education Group (UNHcFREG) found a “serious security flaw” in the way Viber receives videos, images and doodle files; the way it sends and receives location data; and the way it stores data on its Amazon servers.

The team’s experimental network created a rogue access point utilising a Windows 7 PC’s Virtual Wi-Fi Miniport Adapter and a first smartphone connected to the same network. It then connected a second smartphone outside the network via GSM and used it to exchange data with the first smartphone over Viber.

It said that with tools such as NetworkMiner, Wireshark, and NetWitness it was able to capture traffic sent over the test network.


The 2nd worry here is that the data is stored on Amazon servers unencrypted, is not deleted immediately and can be accessed without any authentication! That means as long as you can capture the URLs of the videos/files, you can just put them into your browser and download them directly from Amazon.

You can view the video posted by the team here:

Viber Security Vulnerabilities: Images, Doodles, Location and Videos sent over Viber is unencrypted

Specifically, the team claimed that images, doodles and videos received are unencrypted; location data sent and received is unencrypted; and data is stored on the Viber Amazon servers in unencrypted format.

Further, it said user data stored on Viber’s Amazon servers is not deleted immediately and that it can be easily accessed without any authentication mechanism – “simply visiting the intercepted link on a web browser gives us complete access to the data”.

The researchers added the following:

Anyone, including the service providers will be able to collect this information – and anyone that sets up a rogue AP, or any man-in-the middle attacks such as ARP poisoning will be able to capture this unencrypted traffic and view the images and videos received as well as the locations being sent or received by a phone.

UNHcFREG said it had already informed Viber of the security flaws but received no word back at the time of publishing. A video of the test (h/t The Hacker News) can be found here.

It recommended Viber ensure all data in transit is sent over an encrypted tunnel, that data is encrypted properly when saved and that it access to it must require authentication.

The Israeli-backed messaging service, based in Cyprus, was recently acquired for $900 million by Japanese e-commerce giant Rakuten in a bid to take the firm “to a different level”.

I would imagine with the press/media coverage this flaw is getting, Viber will have to fix this pretty sharp. Honestly with the processing power of phones now, encryption at all stages should no longer be an option or an afterthought – it should be mandatory in everything.

Seen as though they’ve taken a look at Viber and WhatsApp – I wonder what will be next? LINE, Wechat? KakaoTalk?

Source: The Register

Posted in: Exploits/Vulnerabilities, Privacy

, ,


Latest Posts:


Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.
UBoat - Proof Of Concept PoC HTTP Botnet Project UBoat – Proof Of Concept PoC HTTP Botnet Project
UBoat is a PoC HTTP Botnet designed to replicate a full weaponised commercial botnet like the famous large scale infectors Festi, Grum, Zeus and SpyEye.
LambdaGuard - AWS Lambda Serverless Security Scanner LambdaGuard – AWS Lambda Serverless Security Scanner
LambdaGuard is a tool which allows you to visualise and audit the security of your serverless assets, an open-source AWS Lambda Serverless Security Scanner.
exe2powershell - Convert EXE to BAT Files exe2powershell – Convert EXE to BAT Files
exe2powershell is used to convert EXE to BAT files, the previously well known tool for this was exe2bat, this is a version for modern Windows.
HiddenWall - Create Hidden Kernel Modules HiddenWall – Create Hidden Kernel Modules
HiddenWall is a Linux kernel module generator used to create hidden kernel modules to protect your server from attackers.
Anteater - CI/CD Security Gate Check Framework Anteater – CI/CD Security Gate Check Framework
Anteater is a CI/CD Security Gate Check Framework to prevent the unwanted merging of filenames, binaries, deprecated functions, staging variables and more.


2 Responses to Viber Vulnerable To Man In The Middle Attack (MITM)

  1. maher April 25, 2014 at 2:41 pm #

    Perfect article , Some months ago, Viber was supposed to be compromised by the Hacking Group Syrian Electronic Army, according to a screenshot that was published.

    http://www.secnews.gr/archives/65485

    • Darknet April 25, 2014 at 4:34 pm #

      Yah, that was a web page defacement more than a compromise of the actual Viber software though.