Viber app leaves users' data unencrypted, researchers warn

Privacy-conscious users of popular mobile messenger app Viber may want to avoid using it, after researchers found what they described as a "serious security flaw."

The researchers from the University of New Haven Cyber Forensics Research and Education Group said Viber does not encrypt data passing through its servers.

"We recently discovered a serious security flaw in the way Viber receives Images, Doodles, Video files as well as the way it sends or receives location data. We also see potential issues in the way Viber stores data in an unencrypted format on their servers with no authentication mechanism for them to be retrieved from a client," Ibrahim Baggili (PhD) and Jason Moore said.

Also, they posted a video on YouTube detailing their findings:

Such a flaw may allow an attacker to intercept the data, they noted.

The researchers said they sent their findings to the Viber team first, but failed to get a response from them.

"It is important to let the people know of these vulnerabilities, therefore, we chose to publish these results and the video in this post," they said.

For their work, the researchers used an HTC One phone running Google's Android version 4.4.2; a Samsung Galaxy S4 with Android version 4.3; and Viber version 4.3.0.712.

A summary of their test results showed:

Images received are unencrypted Doodles received are unencrypted Videos received are unencrypted Location images sent and received are unencrypted Data is stored on the Viber Amazon Servers in an unencrypted format Data stored on the Viber Amazon Servers is not deleted immediately Data stored on the Viber Amazon Servers can be easily accessed without any authentication mechanism (Simply visiting the intercepted link on a web browser gives us complete access to the data)

"Anyone, including the service providers will be able to collect this information – and anyone that sets up a rogue AP (access point), or any man-in-the middle attacks such as ARP poisoning will be able to capture this unencrypted traffic and view the images and videos received as well as the locations being sent or received by a phone," they said.

Viber promises fix

Security firm Sophos cited a statement from Viber to CNET saying it will release a fix soon for Android and iOS, and said the issue has been "resolved."

But Sophos noted a modern online messaging app should no longer really be "fixing" this sort of blunder as "encryption should have been baked in from the start."

It also said that while Viber lists only Android and iOS as getting updates, users of other platforms like desktop, Samsung's Bada, Microsoft's OSes, and Blackberry and Nokia phones "in the dark." — Joel Locsin/TJD, GMA News

Loading...

Editor’s note:Yahoo Philippines encourages responsible comments that add dimension to the discussion. No bashing or hate speech, please. You can express your opinion without slamming others or making derogatory remarks.

  • Pagasa: Drought may worsen
    Pagasa: Drought may worsen

    The drought in 12 already dry areas in the country is expected to worsen as the summer season peaks next month, the Philippine Atmospheric, Geophysical and Astronomical Services Administration (PAGASA) warned yesterday. In an advisory, PAGASA said the provinces of Albay, Bataan, Batangas, Biliran, Cavite, Cebu, Ilocos Norte, Leyte, Misamis Occidental, Pampanga, Zamboanga del Norte and Zamboanga del Sur will continue to receive “way below” or “below normal” rainfall in May. PAGASA defines …

  • Maximum restraint for Phl troops in West Phl Sea
    Maximum restraint for Phl troops in West Phl Sea

    The military has advised its pilots conducting surveillance in the West Philippine Sea to exercise maximum restraint even if they are being bullied by Chinese troops. Armed Forces spokesman Brig. Gen. Joselito Kakilala said all actions of the pilots should be consistent with the declaration of conduct signed by claimant countries. Armed Forces public affairs chief Lt. Col. Harold Cabunoc said the Philippines should remain on moral high ground when it comes to the territorial dispute. A …

  • MMDA simulates rescue march after quake, tsunami
    MMDA simulates rescue march after quake, tsunami

    The Metro Manila Development Authority (MMDA) yesterday led the annual rescue march from Quezon City to Manila, giving rescue volunteers a glimpse of possible scenarios if the metropolis is hit by a strong quake or is inundated by a tsunami. Cora Jimenez, MMDA general manager, said 700 volunteer rescuers walked from the Quezon City memorial circle to the Bonifacio monument in front of the Manila city hall to simulate a response-exercise to a magnitude 7.2 earthquake. Renato Solidum, …

  • Islamic State threatens Mindanao, Phl tells Asean
    Islamic State threatens Mindanao, Phl tells Asean

    Foreign Affairs Secretary Albert del Rosario bared yesterday before the Association of Southeast Asian Nations (ASEAN) reports of the Islamic State of Iraq and Syria (ISIS) threat to the Philippines through the Black Flag Movement in Mindanao. Speaking before ASEAN foreign ministers, Del Rosario said the ISIS threat to Philippine security is real rather than imagined because of the Black Flag Movement’s pledge of allegiance to ISIS leader Abu Bakr al-Baghdadi. …

  • ‘Chinese reclamation affecting Phl’s energy security bid’
    ‘Chinese reclamation affecting Phl’s energy security bid’

    China’s occupation and buildup of its military structures in the West Philippine Sea and South China Sea is causing the country’s top energy official to get the jitters as the encroachment is seen as a huge dent on the Philippines’ efforts to achieve energy security. “It is a concern but if we don’t bring it to the United Nations, where will we bring it? We cannot bang heads with them,” Energy Secretary Carlos Jericho Petilla told The STAR in an interview over the weekend. The US Energy …

  • Phl to Asean: China getting de facto control
    Phl to Asean: China getting de facto control

    The Philippines yesterday urged the Association of Southeast Asian Nations (ASEAN) to unite and stop China’s massive reclamation in disputed waters as it will give China “de facto control” over the area and cause $100 million in marine wealth losses annually. At the ASEAN Foreign Ministers’ Meeting here, Foreign Affairs Secretary Albert del Rosario told his counterparts that the situation in West Philippine Sea had worsened just a year after the Philippines began to draw international …

  • Gov’t spends P11.8 M for Noy’s Asean trip
    Gov’t spends P11.8 M for Noy’s Asean trip

    The government has allotted about P11.8 million for President Aquino’s attendance at the 26th Association of Southeast Asian Nations (ASEAN) summit in Kuala Lumpur and Langkawi in Malaysia from April 26 to 28. “President Aquino’s participation to the 26th ASEAN Summit is important as the region gears toward the creation of an ASEAN community, which is envisioned to provide new opportunities for the peoples of this region, including the Philippines,” Ochoa said in a statement. He was with …

  • Mary Jane: Shun drugs, get legit recruiters
    Mary Jane: Shun drugs, get legit recruiters

    As Mary Jane Veloso held on to vestiges of hope that her life might be spared, she thanked Filipinos for their support and had some pieces of advice.  Efforts to save Veloso from the firing squad continued after Indonesian authorities issued the notice of execution to the Filipina worker who had written four letters – including one for President Aquino – expressing hope that justice will prevail and her gratitude to her countrymen. Veloso’s relatives arrived in Nusa Kambangan Island on …

POLL

Should Aquino be held accountable over the Mamasapano operations?

Loading...
Poll Choice Options