Viber Vulnerable To Man In The Middle Attack (MITM)


So this week, researchers at the University of New Haven have been focusing on Viber and have found that pretty much everything transferred and stored on the Viber service, except the messages themselves is not encrypted either in transit or at rest (doodles, images, location data & videos).

The implication of this is that the lack of encryption leaves Viber vulnerable to sniffing/snooping or MITM attacks via a rogue AP, a telco network or anyone else that can see the traffic in the pipe.

Viber Vulnerable to MITM

The same team published a similar WhatsApp location bug (the location image is sent unencrypted) last week on Youtube – WhatsApp Location Bug/Vulnerability.

Popular Whatsapp-like messaging service Viber is exposing users to man-in-the-middle and other attacks because it isn’t encrypting various data at rest and in transit, security researchers have warned.

The mobile app allows users to send each other messages, videos, images and “doodles”, share GPS location details and make voice calls.

However, researchers at the University of New Haven Cyber Forensics Research and Education Group (UNHcFREG) found a “serious security flaw” in the way Viber receives videos, images and doodle files; the way it sends and receives location data; and the way it stores data on its Amazon servers.

The team’s experimental network created a rogue access point utilising a Windows 7 PC’s Virtual Wi-Fi Miniport Adapter and a first smartphone connected to the same network. It then connected a second smartphone outside the network via GSM and used it to exchange data with the first smartphone over Viber.

It said that with tools such as NetworkMiner, Wireshark, and NetWitness it was able to capture traffic sent over the test network.


The 2nd worry here is that the data is stored on Amazon servers unencrypted, is not deleted immediately and can be accessed without any authentication! That means as long as you can capture the URLs of the videos/files, you can just put them into your browser and download them directly from Amazon.

You can view the video posted by the team here:

Viber Security Vulnerabilities: Images, Doodles, Location and Videos sent over Viber is unencrypted

Specifically, the team claimed that images, doodles and videos received are unencrypted; location data sent and received is unencrypted; and data is stored on the Viber Amazon servers in unencrypted format.

Further, it said user data stored on Viber’s Amazon servers is not deleted immediately and that it can be easily accessed without any authentication mechanism – “simply visiting the intercepted link on a web browser gives us complete access to the data”.

The researchers added the following:

Anyone, including the service providers will be able to collect this information – and anyone that sets up a rogue AP, or any man-in-the middle attacks such as ARP poisoning will be able to capture this unencrypted traffic and view the images and videos received as well as the locations being sent or received by a phone.

UNHcFREG said it had already informed Viber of the security flaws but received no word back at the time of publishing. A video of the test (h/t The Hacker News) can be found here.

It recommended Viber ensure all data in transit is sent over an encrypted tunnel, that data is encrypted properly when saved and that it access to it must require authentication.

The Israeli-backed messaging service, based in Cyprus, was recently acquired for $900 million by Japanese e-commerce giant Rakuten in a bid to take the firm “to a different level”.

I would imagine with the press/media coverage this flaw is getting, Viber will have to fix this pretty sharp. Honestly with the processing power of phones now, encryption at all stages should no longer be an option or an afterthought – it should be mandatory in everything.

Seen as though they’ve taken a look at Viber and WhatsApp – I wonder what will be next? LINE, Wechat? KakaoTalk?

Source: The Register

Posted in: Exploits/Vulnerabilities, Privacy

, ,


Latest Posts:


HELK - Open Source Threat Hunting Platform HELK – Open Source Threat Hunting Platform
The Hunting ELK or simply the HELK is an Open-Source Threat Hunting Platform with advanced analytics capabilities such as SQL declarative language, graphing etc
trape - OSINT Analysis Tool For People Tracking Trape – OSINT Analysis Tool For People Tracking
Trape is an OSINT analysis tool, which allows people to track and execute intelligent social engineering attacks in real-time.
Fuzzilli - JavaScript Engine Fuzzing Library Fuzzilli – JavaScript Engine Fuzzing Library
Fuzzilii is a JavaScript engine fuzzing library, it's a coverage-guided fuzzer for dynamic language interpreters based on a custom intermediate language.
OWASP APICheck - HTTP API DevSecOps Toolset OWASP APICheck – HTTP API DevSecOps Toolset
APICheck is an HTTP API DevSecOps toolset, it integrates existing tools, creates execution chains easily and is designed for integration with 3rd parties.
trident - Automated Password Spraying Tool trident – Automated Password Spraying Tool
The Trident project is an automated password spraying tool developed to be deployed on multiple cloud providers and provides advanced options around scheduling
tko-subs - Detect & Takeover Subdomains With Dead DNS Records tko-subs – Detect & Takeover Subdomains With Dead DNS Records
tko-subs is a tool that helps you to detect & takeover subdomains with dead DNS records, this could be dangling CNAMEs point to hosting services and more.


2 Responses to Viber Vulnerable To Man In The Middle Attack (MITM)

  1. maher April 25, 2014 at 2:41 pm #

    Perfect article , Some months ago, Viber was supposed to be compromised by the Hacking Group Syrian Electronic Army, according to a screenshot that was published.

    http://www.secnews.gr/archives/65485

    • Darknet April 25, 2014 at 4:34 pm #

      Yah, that was a web page defacement more than a compromise of the actual Viber software though.