Categories: Security

Critical vulnerability in Viber exposes mobile user to serious risks

Critical vulnerability in Viber allow bypass security mechanisms

We have discussed in various occasions of security in mobile environments, mobile device are becoming the center of our digital life, they act as a bridge between our daily existence and our identity in cyberspace. Mobile follows our movements, knows our habits and maintains a history of our interaction with our contacts, it’s clear that compromising them it is possible to enter into the owner’s world.

Particularly critical are the use of social networking on mobile and the execution of a large number of applications that in the majority of case improperly manage our data, but the mobile world has also few certainties, applications that every user normally executes in total security such as Skype, Whatsapp or Viber.

What would happen if an attacker attempting to exploit some vulnerability within these applications? Try to imagine … It could know the contents of our conversations, go to our geographical location and peek in our section.

Recently a critical flaw has been found in Viber application a proprietary cross-platform instant messaging voice-over-Internet Protocol application for smartphones developed by Viber Media, in addition to text messaging, users can also exchange images, video and audio media messages. The security firm Bkav announced that it has discovered the serious vulnerability in the popular application that exposes more than 50 millions of smartphone users to the risk of attacks from attackers that could obtain exploiting it the full access on the victim’s device.

The schema of attack is quite simple, just need of a couple of mobile running Viber app and a phone number.

Following the steps to exploit the flaw:

Send Viber message to victim
Combine actions on Viber message popups with tricks like using victim’s notification bar, sending other Viber messages, etc. to make Viber keyboard appear
Once Viber keyboard has appeared, to fully access the device, create missed call to victim (with HTC Sensation XE), press Back button (with Google Nexus 4, Samsung Galaxy S2, Sony Xperia Z), etc.

Following the video of the Proof Of Concept:

Mr. Nguyen Minh Duc, Director of Bkav’s Security Division declared:

The way Viber handles to popup its messages on smartphones’ lock screen is unusual, resulting in its failure to control programming logic, causing the flaw to appear,”

The viper was alerted about the vulnerability but still hasn’t replied, of course Viber will soon patch the issue … be careful to update your Viber client to avoid unpleasant surprises.

(Security Affairs – Mobile)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.