Viber Vulnerable To Man In The Middle Attack (MITM)

Use Netsparker


So this week, researchers at the University of New Haven have been focusing on Viber and have found that pretty much everything transferred and stored on the Viber service, except the messages themselves is not encrypted either in transit or at rest (doodles, images, location data & videos).

The implication of this is that the lack of encryption leaves Viber vulnerable to sniffing/snooping or MITM attacks via a rogue AP, a telco network or anyone else that can see the traffic in the pipe.

Viber Vulnerable to MITM

The same team published a similar WhatsApp location bug (the location image is sent unencrypted) last week on Youtube – WhatsApp Location Bug/Vulnerability.

Popular Whatsapp-like messaging service Viber is exposing users to man-in-the-middle and other attacks because it isn’t encrypting various data at rest and in transit, security researchers have warned.

The mobile app allows users to send each other messages, videos, images and “doodles”, share GPS location details and make voice calls.

However, researchers at the University of New Haven Cyber Forensics Research and Education Group (UNHcFREG) found a “serious security flaw” in the way Viber receives videos, images and doodle files; the way it sends and receives location data; and the way it stores data on its Amazon servers.

The team’s experimental network created a rogue access point utilising a Windows 7 PC’s Virtual Wi-Fi Miniport Adapter and a first smartphone connected to the same network. It then connected a second smartphone outside the network via GSM and used it to exchange data with the first smartphone over Viber.

It said that with tools such as NetworkMiner, Wireshark, and NetWitness it was able to capture traffic sent over the test network.


The 2nd worry here is that the data is stored on Amazon servers unencrypted, is not deleted immediately and can be accessed without any authentication! That means as long as you can capture the URLs of the videos/files, you can just put them into your browser and download them directly from Amazon.

You can view the video posted by the team here:

Viber Security Vulnerabilities: Images, Doodles, Location and Videos sent over Viber is unencrypted

Specifically, the team claimed that images, doodles and videos received are unencrypted; location data sent and received is unencrypted; and data is stored on the Viber Amazon servers in unencrypted format.

Further, it said user data stored on Viber’s Amazon servers is not deleted immediately and that it can be easily accessed without any authentication mechanism – “simply visiting the intercepted link on a web browser gives us complete access to the data”.

The researchers added the following:

Anyone, including the service providers will be able to collect this information – and anyone that sets up a rogue AP, or any man-in-the middle attacks such as ARP poisoning will be able to capture this unencrypted traffic and view the images and videos received as well as the locations being sent or received by a phone.

UNHcFREG said it had already informed Viber of the security flaws but received no word back at the time of publishing. A video of the test (h/t The Hacker News) can be found here.

It recommended Viber ensure all data in transit is sent over an encrypted tunnel, that data is encrypted properly when saved and that it access to it must require authentication.

The Israeli-backed messaging service, based in Cyprus, was recently acquired for $900 million by Japanese e-commerce giant Rakuten in a bid to take the firm “to a different level”.

I would imagine with the press/media coverage this flaw is getting, Viber will have to fix this pretty sharp. Honestly with the processing power of phones now, encryption at all stages should no longer be an option or an afterthought – it should be mandatory in everything.

Seen as though they’ve taken a look at Viber and WhatsApp – I wonder what will be next? LINE, Wechat? KakaoTalk?

Source: The Register

Posted in: Exploits/Vulnerabilities, Privacy

, ,


Latest Posts:


Intercepter-NG - Android App For Hacking Intercepter-NG – Android App For Hacking
Intercepter-NG is a multi functional network toolkit including an Android app for hacking, the main purpose is to recover interesting data from the network stream and perform different kinds of MiTM attacks.
dcipher - Online Hash Cracking Using Rainbow & Lookup Tables dcipher – Online Hash Cracking Using Rainbow & Lookup Tables
dcipher is a JavaScript-based online hash cracking tool to decipher hashes using online rainbow & lookup table attack services.
HTTP Security Considerations - An Introduction To HTTP Basics HTTP Security Considerations – An Introduction To HTTP Basics
HTTP is ubiquitous now with pretty much everything being powered by an API, a web application or some kind of cloud-based HTTP driven infrastructure. With that HTTP Security becomes paramount and to secure HTTP you have to understand it.
Cangibrina - Admin Dashboard Finder Tool Cangibrina – Admin Dashboard Finder Tool
Cangibrina is a Python-based multi platform admin dashboard finder tool which aims to obtain the location of website dashboards by using brute-force, wordlists etc.
Enumall - Subdomain Discovery Using Recon-ng & AltDNS Enumall – Subdomain Discovery Using Recon-ng & AltDNS
Enumall is a Python-based tool that helps you do subdomain discovery using only one command by combining the abilities of Recon-ng and AltDNS.
RidRelay - SMB Relay Attack For Username Enumeration RidRelay – SMB Relay Attack For Username Enumeration
RidRelay is a Python-based tool to enumerate usernames on a domain where you have no credentials by using a SMB Relay Attack with low privileges.


2 Responses to Viber Vulnerable To Man In The Middle Attack (MITM)

  1. maher April 25, 2014 at 2:41 pm #

    Perfect article , Some months ago, Viber was supposed to be compromised by the Hacking Group Syrian Electronic Army, according to a screenshot that was published.

    http://www.secnews.gr/archives/65485

    • Darknet April 25, 2014 at 4:34 pm #

      Yah, that was a web page defacement more than a compromise of the actual Viber software though.