The Viber instant messaging app has become a household name, with over 200 million downloads worldwide. This cross-platform software is also compatible with desktops and provides unique functionality. But researchers at the University of New Haven have now exposed the lack of data encryption in the popular mobile app, a serious security problem.
This is the second IM vulnerability exposed by the UNH experts this month, with the previous one being found in the WhatsApp messenger. The Facebook-owned service was found to give away user location in an unencrypted and open form.
Viber is now feeling the heat. Hackers can easily perform man-in-the-middle attacks to harvest sensitive user data. Its even possible to retrieve messages including photos, videos and location-related data from the Viber servers.
The POC involved the installation of Viber on two separate smartphones. One account was accessed via a PC running Windows 7, which was defined as a wireless access point. NetworkMiner software was used to fetch the pictures and videos from the Viber servers, where they were stored in their original format without encryption.
Not only was the data unencrypted and unprotected, the researchers needed no authentication or verification steps to get the desired information. Viber is also vulnerable to commercial and criminal man-in-the-middle snooping, which can be achieved by setting up a rogue server/access point to intercept communications.
Viber is already working on a security fix, which should involve comprehensive end-to-end encryption. The company’s security officers should also implement Static Application Security Testing (SAST) solutions to safeguard their servers. For example, Source Code Analysis (SCA) ensures that databases are safely and legally accessed.
In the meanwhile CISOs and Security experts keen to protect their company’s privacy must take the pro-active approach to combat the lack of security standards in the Viber app. The BYOD phenomenon has left no other option than to restrict or even ban the use of Viber on company devices till the aforementioned security issue is resolved.
Update: Viber has just released a secure version for Android OS. All users are advised to update their apps as soon as possible. iOS 7, Windows Phone and Blackberry running devices are still vulnerable to MITM attacks.
Source: Viber Security Issue