Viber vulnerable to MITM attack, million users at risk

Security researchers at UNH Cyber Forensics Research & Education Group have discovered a serious flaw in Viber messaging and voice system.

Mobile app security is one of principal concern for security experts, exploiting flaws in most popular application like WhatsApp, Flickr or Viber hackers could expose data of million end users.

Last week a group of researchers at UNH Cyber Forensics Research & Education Group discovered a vulnerability in WhatsApp “Location Share” feature which exposes user’s location to the attackers.

The same group examined another popular messaging app, Viber, finding that it lacks an implementation of security best practices threatening the privacy of more than 150 million users.

Viber application, available for Android, iOS, Windows Phone, Blackberry and Desktop, provides a free voice calling service to its users, and it also allows them to share text messages, videos and their position.

The researchers discovered that users’ data is stored in an unencrypted form on the Viber Amazon Servers. According the researchers images and videos of any Viber user could be easily accessed without any authentication, an attacker can simply intercept a link from Viber, in a classic MITM attack scenario, users to access victim’s data.

In the following image is reproduced a typical attack scenario on Viber user, it is easy to understand that an attacker can use any network testing tool available on the market, such as NetworkMiner, Wireshark, and NetWitness, to sniff the Viber traffic.

“Anyone, including the service providers will be able to collect this information – and anyone that sets up a rogue AP, or any man-in-the middle attacks such as ARP poisoning will be able to capture this unencrypted traffic and view the images and videos received as well as the locations being sent or received by a phone.” said Professor Ibrahim Baggili and Jason Moore .

In a video, the researchers demonstrated that Viber is not encrypting any data such as images, doodles, videos and location images while exchanging it with their Amazon server, that allows an attacker to capture this unencrypted traffic with man-in-the middle attack.

“The main issue is that the above-mentioned data is unencrypted, leaving it open for interception through either a Rogue AP, or any man-in-the middle attacks. “

The researchers have written a blog post to invite users to stop using Viber until the company will fix these private issues.

The experts have ethically reported the flaw to Viber security team, in time I’m writing they still haven’t received any response.

Let’s see what happen … meantime, put your privacy at first place!

Pierluigi Paganini

(Security Affairs – Viber, privacy)