Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Security

Critical vulnerability in Viber exposes mobile user to serious risks

Critical vulnerability in Viber allow bypass security mechanisms We have discussed in various occasions of security in mobile environments, mobile device are becoming the center of our digital life, they act as a bridge between our daily existence and our identity in cyberspace. Mobile follows our movements, knows our habits and maintains a history of our interaction with our contacts, it’s clear that  compromising them […]

Critical vulnerability in Viber exposes mobile user to serious risks

Critical vulnerability in Viber allow bypass security mechanisms

We have discussed in various occasions of security in mobile environments, mobile device are becoming the center of our digital life, they act as a bridge between our daily existence and our identity in cyberspace. Mobile follows our movements, knows our habits and maintains a history of our interaction with our contacts, it’s clear that  compromising them it is possible to enter into the owner’s world.

Particularly critical are the use of social networking on mobile and the execution of a large number of applications that in the majority of case improperly manage our data, but the mobile world has also few certainties, applications that every user normally executes in total security such as Skype, Whatsapp or Viber.

What would happen if an attacker attempting to exploit some vulnerability within these applications? Try to imagine … It could know the contents of our conversations, go to our geographical location and peek in our section.

Recently a critical flaw has been found in Viber application a proprietary cross-platform instant messaging voice-over-Internet Protocol application for smartphones developed by Viber Media, in addition to text messaging, users can also exchange images, video and audio media messages. The security firm Bkav announced that it has discovered the serious vulnerability in the popular application that exposes more than 50 millions of smartphone users to the risk of attacks from attackers that could obtain exploiting it the full access on the victim’s device.

The schema of attack is quite simple, just need of a couple of mobile running Viber app and a phone number.

Following the steps to exploit the flaw:

  1. Send Viber message to victim
  2. Combine actions on Viber message popups with tricks like using victim’s notification bar, sending other Viber messages, etc. to make Viber keyboard appear
  3. Once Viber keyboard has appeared, to fully access the device, create missed call to victim (with HTC Sensation XE), press Back button (with Google Nexus 4, Samsung Galaxy S2, Sony Xperia Z), etc.

Following the video of the Proof Of Concept:

POC_Video

Mr. Nguyen Minh Duc, Director of Bkav’s Security Division declared:

The way Viber handles to popup its messages on smartphones’ lock screen is unusual, resulting in its failure to control programming logic, causing the flaw to appear,

The viper was alerted about the vulnerability but still hasn’t replied, of course Viber will soon patch the issue … be careful to update your Viber client to avoid unpleasant surprises.

(Security Affairs – Mobile)