So this week, researchers at the University of New Haven have been focusing on Viber and have found that pretty much everything transferred and stored on the Viber service, except the messages themselves is not encrypted either in transit or at rest (doodles, images, location data & videos).
The implication of this is that the lack of encryption leaves Viber vulnerable to sniffing/snooping or MITM attacks via a rogue AP, a telco network or anyone else that can see the traffic in the pipe.
The same team published a similar WhatsApp location bug (the location image is sent unencrypted) last week on Youtube – WhatsApp Location Bug/Vulnerability.
Popular Whatsapp-like messaging service Viber is exposing users to man-in-the-middle and other attacks because it isn’t encrypting various data at rest and in transit, security researchers have warned.
The mobile app allows users to send each other messages, videos, images and “doodles”, share GPS location details and make voice calls.
However, researchers at the University of New Haven Cyber Forensics Research and Education Group (UNHcFREG) found a “serious security flaw” in the way Viber receives videos, images and doodle files; the way it sends and receives location data; and the way it stores data on its Amazon servers.
The team’s experimental network created a rogue access point utilising a Windows 7 PC’s Virtual Wi-Fi Miniport Adapter and a first smartphone connected to the same network. It then connected a second smartphone outside the network via GSM and used it to exchange data with the first smartphone over Viber.
It said that with tools such as NetworkMiner, Wireshark, and NetWitness it was able to capture traffic sent over the test network.
The 2nd worry here is that the data is stored on Amazon servers unencrypted, is not deleted immediately and can be accessed without any authentication! That means as long as you can capture the URLs of the videos/files, you can just put them into your browser and download them directly from Amazon.
You can view the video posted by the team here:
Specifically, the team claimed that images, doodles and videos received are unencrypted; location data sent and received is unencrypted; and data is stored on the Viber Amazon servers in unencrypted format.
Further, it said user data stored on Viber’s Amazon servers is not deleted immediately and that it can be easily accessed without any authentication mechanism – “simply visiting the intercepted link on a web browser gives us complete access to the data”.
The researchers added the following:
Anyone, including the service providers will be able to collect this information – and anyone that sets up a rogue AP, or any man-in-the middle attacks such as ARP poisoning will be able to capture this unencrypted traffic and view the images and videos received as well as the locations being sent or received by a phone.
UNHcFREG said it had already informed Viber of the security flaws but received no word back at the time of publishing. A video of the test (h/t The Hacker News) can be found here.
It recommended Viber ensure all data in transit is sent over an encrypted tunnel, that data is encrypted properly when saved and that it access to it must require authentication.
The Israeli-backed messaging service, based in Cyprus, was recently acquired for $900 million by Japanese e-commerce giant Rakuten in a bid to take the firm “to a different level”.
I would imagine with the press/media coverage this flaw is getting, Viber will have to fix this pretty sharp. Honestly with the processing power of phones now, encryption at all stages should no longer be an option or an afterthought – it should be mandatory in everything.
Seen as though they’ve taken a look at Viber and WhatsApp – I wonder what will be next? LINE, Wechat? KakaoTalk?
Source: The Register