Viber app leaves users' data unencrypted, researchers warn

Privacy-conscious users of popular mobile messenger app Viber may want to avoid using it, after researchers found what they described as a "serious security flaw."

The researchers from the University of New Haven Cyber Forensics Research and Education Group said Viber does not encrypt data passing through its servers.

"We recently discovered a serious security flaw in the way Viber receives Images, Doodles, Video files as well as the way it sends or receives location data. We also see potential issues in the way Viber stores data in an unencrypted format on their servers with no authentication mechanism for them to be retrieved from a client," Ibrahim Baggili (PhD) and Jason Moore said.

Also, they posted a video on YouTube detailing their findings:

Such a flaw may allow an attacker to intercept the data, they noted.

The researchers said they sent their findings to the Viber team first, but failed to get a response from them.

"It is important to let the people know of these vulnerabilities, therefore, we chose to publish these results and the video in this post," they said.

For their work, the researchers used an HTC One phone running Google's Android version 4.4.2; a Samsung Galaxy S4 with Android version 4.3; and Viber version 4.3.0.712.

A summary of their test results showed:

Images received are unencrypted Doodles received are unencrypted Videos received are unencrypted Location images sent and received are unencrypted Data is stored on the Viber Amazon Servers in an unencrypted format Data stored on the Viber Amazon Servers is not deleted immediately Data stored on the Viber Amazon Servers can be easily accessed without any authentication mechanism (Simply visiting the intercepted link on a web browser gives us complete access to the data)

"Anyone, including the service providers will be able to collect this information – and anyone that sets up a rogue AP (access point), or any man-in-the middle attacks such as ARP poisoning will be able to capture this unencrypted traffic and view the images and videos received as well as the locations being sent or received by a phone," they said.

Viber promises fix

Security firm Sophos cited a statement from Viber to CNET saying it will release a fix soon for Android and iOS, and said the issue has been "resolved."

But Sophos noted a modern online messaging app should no longer really be "fixing" this sort of blunder as "encryption should have been baked in from the start."

It also said that while Viber lists only Android and iOS as getting updates, users of other platforms like desktop, Samsung's Bada, Microsoft's OSes, and Blackberry and Nokia phones "in the dark." — Joel Locsin/TJD, GMA News

Loading...

Editor’s note:Yahoo Philippines encourages responsible comments that add dimension to the discussion. No bashing or hate speech, please. You can express your opinion without slamming others or making derogatory remarks.

  • No need for Revilla to visit son – prosecutors
    No need for Revilla to visit son – prosecutors

    Instead of filing an opposition, ombudsman prosecutors filed a manifestation yesterday expressing belief that there is no urgent need for Sen. Ramon “Bong” Revilla Jr. to visit his son at the Asian Hospital and Medical Center. “Based on the clinical abstract issued by the Asian Hospital on patient (Cavite) Vice-governor (Jolo) Revilla, which was submitted by accused Revilla in support of his Urgent Motion, Vice-governor Revilla is in stable condition and has stable vital signs, as of March 1, …

  • Troops overrun BIFF bomb-making facility in Mamasapano
    Troops overrun BIFF bomb-making facility in Mamasapano

    Government troops captured Sunday a bomb and weapons factory of the Bangsamoro Islamic Freedom Fighters (BIFF) in Mamasapano, Maguindanao, the Armed Forces of the Philippines (AFP) announced yesterday. Col. Restituto Padilla, AFP spokesman, said the captured bomb and weapons factory is located inside an area controlled by radical Muslim cleric Ustadz Mohammad Ali Tambako at Barangay Dasikil in Mamasapano. …

  • N. Korea fires missiles in anger at South-US military drills
    N. Korea fires missiles in anger at South-US military drills

    North Korea fired two short-range ballistic missiles into the sea and vowed "merciless" retaliation Monday as the US and South Korea kicked off joint military drills denounced by Pyongyang as recklessly confrontational. The annual exercises always trigger a surge in military tensions and warlike rhetoric on the divided peninsula, and analysts saw the North's missile tests as a prelude to a concerted campaign of sabre-rattling. "If there is a particularly sharp escalation, we could see the …

  • How Islamic is Islamic State group? Not very, experts say
    How Islamic is Islamic State group? Not very, experts say

    CAIRO (AP) — Three British schoolgirls believed to have gone to Syria to become "jihadi" brides. Three young men charged in New York with plotting to join the Islamic State group and carry out attacks on American soil. A masked, knife-wielding militant from London who is the face of terror in videos showing Western hostages beheaded. …

  • Couple married 67 years holds hands in final hours together
    Couple married 67 years holds hands in final hours together

    FRESNO, Calif. (AP) — After spending 67 years together as devoted husband and wife, there was no question how Floyd and Violet Hartwig would end their lives — together. …

  • Solar plane passes new test ahead of planned world tour
    Solar plane passes new test ahead of planned world tour

    A solar-powered plane made a third successful test flight in the United Arab Emirates on Monday ahead of a planned round-the-world tour to promote alternative energy. Organisers hope that Solar Impulse 2 may head off around the globe as early as Saturday but caution that the launch is dependent on the weather, even in the relatively cloudless Gulf. The hour-long test flight was the plane's third from the UAE capital Abu Dhabi's small Al-Bateen airport, but the first for Solar Impulse chairman …

  • Recruitment firm accused of worldwide scam
    Recruitment firm accused of worldwide scam

    Filipinos aspiring to work overseas should avoid dealing with a recruitment agency that has duped jobseekers worldwide, Labor Secretary Rosalinda Baldoz said yesterday. The National Bureau of Investigation has padlocked Global Visas Inc., which is based in Cebu. Baldoz said the agency’s parent company, ICS Global Visas Inc. based in the United Kingdom, has reportedly collapsed and left thousands of applicants without jobs.  “Global Visas was in the limelight this week, following its reported …

  • Jordan, 2 other NBA owners join Forbes' billionaire list
    Jordan, 2 other NBA owners join Forbes' billionaire list

    Michael Jordan and two other NBA owners have reached new heights, making Forbes world list of billionaires. Forbes released its list on Monday and noted that Jordan's net worth is estimated at $1 billion, ... …

POLL

Should Aquino be held accountable over the Mamasapano operations?

Loading...
Poll Choice Options