Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Hacking

Viber vulnerable to MITM attack, million users at risk

Security researchers at UNH Cyber Forensics Research & Education Group have discovered a serious flaw in Viber messaging and voice system. Mobile app security is one of principal concern for security experts, exploiting flaws in most popular application like WhatsApp, Flickr or Viber hackers could expose data of million end users. Last week a group of researchers at UNH […]

Viber vulnerable to MITM attack, million users at risk

Security researchers at UNH Cyber Forensics Research & Education Group have discovered a serious flaw in Viber messaging and voice system.

Mobile app security is one of principal concern for security experts, exploiting flaws in most popular application like WhatsApp, Flickr or Viber hackers could expose data of million end users.
Last week a group of researchers at UNH Cyber Forensics Research & Education Group discovered a vulnerability in WhatsApp “Location Share” feature which exposes user’s location to the attackers.
The same group examined another popular messaging app, Viber, finding that it lacks an implementation of security best practices threatening the privacy of more than 150 million users.
Viber application, available for Android, iOS, Windows Phone, Blackberry and Desktop, provides a free voice calling service to its users, and it also allows them to share text messages, videos and their position.

The researchers discovered that users’ data is stored in an unencrypted form on the Viber Amazon Servers. According the researchers images and videos of any Viber user could be easily accessed without any authentication, an attacker can simply intercept a link from Viber, in a classic MITM attack scenario, users to access victim’s data.
In the following image is reproduced a typical attack scenario on Viber user, it is easy to understand that an attacker can use any network testing tool available on the market, such as NetworkMiner, Wireshark, and NetWitness, to sniff the Viber traffic.

Anyone, including the service providers will be able to collect this information – and anyone that sets up a rogue AP, or any man-in-the middle attacks such as ARP poisoning will be able to capture this unencrypted traffic and view the images and videos received as well as the locations being sent or received by a phone.” said Professor Ibrahim Baggili and Jason Moore .

Viber attack scenario
In a video, the researchers demonstrated that Viber is not encrypting any data such as images, doodles, videos and location images while exchanging it with their Amazon server, that allows an attacker to capture this unencrypted traffic with man-in-the middle attack.
The main issue is that the above-mentioned data is unencrypted, leaving it open for interception through either a Rogue AP, or any man-in-the middle attacks. 
The researchers have written a blog post to invite users to stop using Viber until the company will fix these private issues.
The experts have ethically reported the flaw to Viber security team, in time I’m writing they still haven’t received any response.
Let’s see what happen meantime, put your privacy at first place!

(Security Affairs –  Viber, privacy)