Pierluigi Paganini April 25, 2013

Critical vulnerability in Viber allow bypass security mechanisms

We have discussed in various occasions of security in mobile environments, mobile device are becoming the center of our digital life, they act as a bridge between our daily existence and our identity in cyberspace. Mobile follows our movements, knows our habits and maintains a history of our interaction with our contacts, it’s clear that  compromising them it is possible to enter into the owner’s world.

Particularly critical are the use of social networking on mobile and the execution of a large number of applications that in the majority of case improperly manage our data, but the mobile world has also few certainties, applications that every user normally executes in total security such as Skype, Whatsapp or Viber.

What would happen if an attacker attempting to exploit some vulnerability within these applications? Try to imagine … It could know the contents of our conversations, go to our geographical location and peek in our section.

Recently a critical flaw has been found in Viber application a proprietary cross-platform instant messaging voice-over-Internet Protocol application for smartphones developed by Viber Media, in addition to text messaging, users can also exchange images, video and audio media messages. The security firm Bkav announced that it has discovered the serious vulnerability in the popular application that exposes more than 50 millions of smartphone users to the risk of attacks from attackers that could obtain exploiting it the full access on the victim’s device.

The schema of attack is quite simple, just need of a couple of mobile running Viber app and a phone number.

Following the steps to exploit the flaw:

1. Send Viber message to victim
2. Combine actions on Viber message popups with tricks like using victim’s notification bar, sending other Viber messages, etc. to make Viber keyboard appear
3. Once Viber keyboard has appeared, to fully access the device, create missed call to victim (with HTC Sensation XE), press Back button (with Google Nexus 4, Samsung Galaxy S2, Sony Xperia Z), etc.

Following the video of the Proof Of Concept:

Mr. Nguyen Minh Duc, Director of Bkav’s Security Division declared:

The way Viber handles to popup its messages on smartphones’ lock screen is unusual, resulting in its failure to control programming logic, causing the flaw to appear,”

The viper was alerted about the vulnerability but still hasn’t replied, of course Viber will soon patch the issue … be careful to update your Viber client to avoid unpleasant surprises.

(Security Affairs – Mobile)