Viber app leaves users' data unencrypted, researchers warn

Privacy-conscious users of popular mobile messenger app Viber may want to avoid using it, after researchers found what they described as a "serious security flaw."

The researchers from the University of New Haven Cyber Forensics Research and Education Group said Viber does not encrypt data passing through its servers.

"We recently discovered a serious security flaw in the way Viber receives Images, Doodles, Video files as well as the way it sends or receives location data. We also see potential issues in the way Viber stores data in an unencrypted format on their servers with no authentication mechanism for them to be retrieved from a client," Ibrahim Baggili (PhD) and Jason Moore said.

Also, they posted a video on YouTube detailing their findings:

Such a flaw may allow an attacker to intercept the data, they noted.

The researchers said they sent their findings to the Viber team first, but failed to get a response from them.

"It is important to let the people know of these vulnerabilities, therefore, we chose to publish these results and the video in this post," they said.

For their work, the researchers used an HTC One phone running Google's Android version 4.4.2; a Samsung Galaxy S4 with Android version 4.3; and Viber version 4.3.0.712.

A summary of their test results showed:

Images received are unencrypted Doodles received are unencrypted Videos received are unencrypted Location images sent and received are unencrypted Data is stored on the Viber Amazon Servers in an unencrypted format Data stored on the Viber Amazon Servers is not deleted immediately Data stored on the Viber Amazon Servers can be easily accessed without any authentication mechanism (Simply visiting the intercepted link on a web browser gives us complete access to the data)

"Anyone, including the service providers will be able to collect this information – and anyone that sets up a rogue AP (access point), or any man-in-the middle attacks such as ARP poisoning will be able to capture this unencrypted traffic and view the images and videos received as well as the locations being sent or received by a phone," they said.

Viber promises fix

Security firm Sophos cited a statement from Viber to CNET saying it will release a fix soon for Android and iOS, and said the issue has been "resolved."

But Sophos noted a modern online messaging app should no longer really be "fixing" this sort of blunder as "encryption should have been baked in from the start."

It also said that while Viber lists only Android and iOS as getting updates, users of other platforms like desktop, Samsung's Bada, Microsoft's OSes, and Blackberry and Nokia phones "in the dark." — Joel Locsin/TJD, GMA News

Loading...

Editor’s note:Yahoo Philippines encourages responsible comments that add dimension to the discussion. No bashing or hate speech, please. You can express your opinion without slamming others or making derogatory remarks.

  • Sandigan OKs hospital stay for GMA co-accused
    Sandigan OKs hospital stay for GMA co-accused

    The Sandiganbayan has allowed a government official, accused with plunder along with former President and now Pampanga Rep. Gloria Macapagal-Arroyo to undergo a medical procedure at a hospital tomorrow. The anti-graft court permitted former Philippine Charity Sweepstakes Office (PCSO) board member Benigno Aguas to undergo a cardiopulmonary/endocrine clearance at the St. Luke’s Medical Center in Quezon City. …

  • Sandigan recommends executive clemency for ex-envoy
    Sandigan recommends executive clemency for ex-envoy

    The Sandiganbayan has recommended executive clemency for a former Philippine ambassador to Nigeria who was sentenced to 52 years for malversation of public funds. The Sandiganbayan First Division found Masaranga Umpa guilty of misusing the Assistance-To-Nationals Stand-by Funds totaling $80,478.80 in 2007, but the anti-graft court said the former assemblyman from Lanao del Norte should be pardoned. …

  • Stargazing at the mall highlights Earth Hour
    Stargazing at the mall highlights Earth Hour

    It was a night of stargazing in 58 SM Supermalls all over the country last night as these establishments participated in Earth Hour, an annual worldwide movement encouraging communities and establishments to switch off lights for one hour to raise global awareness of overuse of non-renewable resources. The Philippines has been an active participant of Earth Hour since 2008. Last night, in the province of Bulacan, for instance, all parishes, diocesan institutions, schools and household …

  • Payanig privatization hit
    Payanig privatization hit

    BLEMP Commercial of the Philippines, Inc. (BLEMP) denounced the recent announcement of the Presidential Commission on Good Government (PCGG) to privatize the 18.4-hectare “Payanig sa Pasig” property. In a statement sent to The STAR, BLEMP lawyer Dennis Manalo said the PCGG has no right to auction the property because it has no valid title and is not in possession. The PCGG has not paid a single centavo in real property taxes for the property, he said. He narrated that it was in the early 70s …

  • New species of tarantula found
    New species of tarantula found

    Scientists from the Museum of Natural History (MNH) of the University of the Philippines-Los Baños have discovered a new species of cave-dwelling tarantula on an island off the coast of Quezon. The new species of the spider, Phlogiellus kwebaburdeos, was described in the recent issue of the Philippine Journal of Systematic Biology by MNH curators for spiders Aimee Lynn Dupo and Alberto Barrion along with their former student Joseph Rasalan. The tarantula was discovered by Rasalan during one …

  • Palm Sunday: Do not add to suffering of others
    Palm Sunday: Do not add to suffering of others

    As Christendom enters Holy Week today, Palm Sunday, an official of the Catholic Bishops’ Conference of the Philippines (CBCP) yesterday called on the faithful not to add to the sufferings of their fellowmen. Jerome Secillano, executive secretary of the CBCP-Episcopal Commission on Public Affairs (ECPA), said that while Palm Sunday is oftentimes remembered as the glorious arrival of Jesus Christ in Jerusalem, it also signals the start of the Holy Week that tells of His suffering, death and …

  • Miriam pushes tougher graft law
    Miriam pushes tougher graft law

    Sen. Miriam Defensor-Santiago has filed a bill that would make public officials liable for violations of the Anti-Graft and Corrupt Practices Act even if they are elected to a fresh term or a new position. In filing Senate Bill 2716, Santiago sought to address what she said was the doctrine of condonation in Philippine jurisprudence brought about by the 2010 case of Salumbides vs. Ombudsman. “By merely asserting the doctrine of condonation, erring elective officials are automatically given a …

  • Phl hits back at China over sea infra work
    Phl hits back at China over sea infra work

    The Philippines assailed China yesterday for contesting Manila’s planned repair and maintenance works on some islands in the West Philippine Sea, saying they are “in no way comparable” to the Asian power’s massive reclamation activities which are in violation of international laws. “The Philippines’ possible undertaking of necessary maintenance and repairs on its existing facilities in the West Philippine Sea, over which the Philippines rightfully exercises sovereignty, sovereign rights and …

POLL

Should Aquino be held accountable over the Mamasapano operations?

Loading...
Poll Choice Options