Viber app leaves users' data unencrypted, researchers warn

Privacy-conscious users of popular mobile messenger app Viber may want to avoid using it, after researchers found what they described as a "serious security flaw."

The researchers from the University of New Haven Cyber Forensics Research and Education Group said Viber does not encrypt data passing through its servers.

"We recently discovered a serious security flaw in the way Viber receives Images, Doodles, Video files as well as the way it sends or receives location data. We also see potential issues in the way Viber stores data in an unencrypted format on their servers with no authentication mechanism for them to be retrieved from a client," Ibrahim Baggili (PhD) and Jason Moore said.

Also, they posted a video on YouTube detailing their findings:

Such a flaw may allow an attacker to intercept the data, they noted.

The researchers said they sent their findings to the Viber team first, but failed to get a response from them.

"It is important to let the people know of these vulnerabilities, therefore, we chose to publish these results and the video in this post," they said.

For their work, the researchers used an HTC One phone running Google's Android version 4.4.2; a Samsung Galaxy S4 with Android version 4.3; and Viber version 4.3.0.712.

A summary of their test results showed:

Images received are unencrypted Doodles received are unencrypted Videos received are unencrypted Location images sent and received are unencrypted Data is stored on the Viber Amazon Servers in an unencrypted format Data stored on the Viber Amazon Servers is not deleted immediately Data stored on the Viber Amazon Servers can be easily accessed without any authentication mechanism (Simply visiting the intercepted link on a web browser gives us complete access to the data)

"Anyone, including the service providers will be able to collect this information – and anyone that sets up a rogue AP (access point), or any man-in-the middle attacks such as ARP poisoning will be able to capture this unencrypted traffic and view the images and videos received as well as the locations being sent or received by a phone," they said.

Viber promises fix

Security firm Sophos cited a statement from Viber to CNET saying it will release a fix soon for Android and iOS, and said the issue has been "resolved."

But Sophos noted a modern online messaging app should no longer really be "fixing" this sort of blunder as "encryption should have been baked in from the start."

It also said that while Viber lists only Android and iOS as getting updates, users of other platforms like desktop, Samsung's Bada, Microsoft's OSes, and Blackberry and Nokia phones "in the dark." — Joel Locsin/TJD, GMA News

Loading...

Editor’s note:Yahoo Philippines encourages responsible comments that add dimension to the discussion. No bashing or hate speech, please. You can express your opinion without slamming others or making derogatory remarks.

  • US renews travel warning to Mindanao
    US renews travel warning to Mindanao

    The US State Department renewed its warning about the risks of travel to the Philippines, in particular to the Sulu archipelago, certain regions and cities of Mindanao and the southern Sulu Sea area. In an update on Wednesday of a travel warning it issued Nov. 20, 2014, the State Department said US citizens should continue to defer non-essential travel to the Sulu archipelago due to the high threat of kidnapping of international travelers and violence linked to insurgency and terrorism there. …

  • Phl gains support for APEC Action Agenda
    Phl gains support for APEC Action Agenda

    The Philippine initiative to put the interests of micro, small and medium enterprises (MSMEs) front and center in global and regional trade has made significant progress following the conclusion on Thursday of the 2nd APEC Senior Officials’ Meeting (SOM2) and Related Meetings in Boracay, Aklan. Called “The Boracay Action Agenda to Globalize MSMEs,” the Philippine proposal calls for a host of specific, concrete and practical interventions that APEC economies can implement to provide MSMEs wider …

  • Phl to join Bangkok meet on Rohingya crisis next week
    Phl to join Bangkok meet on Rohingya crisis next week

    The Philippines will join a 15-nation meeting in Bangkok, Thailand next week to address the migration crisis involving thousands of Rohingyas who escaped persecution in Myanmar and Bangladesh. Justice Secretary Leila de Lima bared this yesterday after meeting with United Nations High Commission for Refugees (UNHCR) representative to the Philippines Bernard Kerblat. In an interview, De Lima said the Philippine government has been invited to the meeting. …

  • Magnitude 4.2 quake jolts Sorsogon
    Magnitude 4.2 quake jolts Sorsogon

    LEGAZPI CITY—A magnitude 4.2 earthquake hit Prieto Diaz town in Sorsogon before dawn yesterday, the Philippine Institute of Volcanology and Seismology (Phivolcs) said. …

  • Drought-resistant rice breeds bared
    Drought-resistant rice breeds bared

    SCIENCE CITY OF MUÑOZ, Nueva Ecija – Amid the searing heat, the Philippine Rice Research Institute central experiment station here has identified nine rice breeds which have been proven to be drought-resistant and produce high yields in temperatures as high as 38°C based on a recent study. Thelma Padolina, lead researcher of the study titled “Screening of rice-induced mutants for heat and drought tolerance,” identified the breeding lines as the Ballatinaw lines, PSB Rc72H and Azucena lines. …

  • Phl, US assert rights, ignore China warning
    Phl, US assert rights, ignore China warning

    The United States military will continue air and sea patrols in international waters even after the Chinese navy repeatedly warned a US surveillance plane to leave the airspace over artificial islands China is creating in the disputed South China Sea. The Philippine government also declared it would continue activities in the region, calling on China to respect freedom of navigation and aviation. “Our position on the importance of letting freedom of navigation, freedom of aviation and …

  • MM shutdown eyed for quake drill; 6 schools warned
    MM shutdown eyed for quake drill; 6 schools warned

    Electricity and mobile phone services would be cut throughout Metro Manila, and all private and government offices and businesses, including shopping malls, would be closed. The Philippine Institute of Volcanology and Seismology (Phivolcs) has warned that an earthquake of that magnitude could occur and kill at least 33,500 people and injure at least 113,600 others following a movement in the West Valley Fault. The West Valley Fault has moved four times in the past 1,400 years at an interval …

  • Subaru XV now priced among sedans
    Subaru XV now priced among sedans

    Motor Image Philipinas (MIP), the authorized distributor of Subaru in the country, has positioned its brand new crossover SUV, the Subaru XV, well within the sedan segment’s price range. This move, according to MIP, was made to give the public an opportunity to experience the brand’s unique automotive technologies by lowering its price. Buyers of […] The post Subaru XV now priced among sedans appeared first on Carmudi Philippines. …

POLL

Should Aquino be held accountable over the Mamasapano operations?

Loading...
Poll Choice Options