Vulnerability Management

No encryption means easy compromise of Viber location data, communications

The unencrypted way that images, doodles, videos and locations are stored, sent and received by cross-platform text message and voice over internet protocol (VoIP) service Viber is opening the door to data interception by attackers, or service providers.

Researchers with the University of New Haven (UNH) Cyber Forensics Research & Education Group uncovered the Viber vulnerabilities as part of their ongoing network forensic analysis of chatting applications, which led them to discover flaws in WhatsApp earlier this month.

“If you are on a local network, you can simply sniff traffic coming in and out of the router, thus grabbing all this data,” Ibrahim Baggili, director of the UNH cyber group, told in a Thursday email correspondence.

This means that Viber users connected to open access Wi-Fi in a coffee shop, for example, can be targeted by man-in-the-middle attacks, including rogue access points or Address Resolution Protocol (ARP) poisoning, Baggili said.

Another big issue is that the unencrypted data is moving through the internet provider. “This means that spying could easily occur on your traffic through the service provider, if a certain entity had access to that data, and wanted to target you specifically,” Baggili said.

The issue is compounded because Viber stores that data on Amazon servers without any authentication or encryption.

“A simple visit to a link will download the data,” Baggili said. “The data is still obviously stored on their network, and anyone that clicks on the link gets immediate access to it without verifying who the user is, and whether or not they have sufficient credentials to actually get to that data.”

The UNH cyber team is warning against using Viber until these bugs are fixed, according to a Tuesday post, which includes a link to a video that details the attack. Recommendations include encrypting the data over a tunnel when it is sent, as well as making sure stored data is encrypted and authentication is required for access.

A Viber spokesperson did not respond to a request for comment. Baggili said that Viber representatives did not respond to correspondence from the UNH cyber group, but he pointed to an article that states the company is working to fix the issues immediately.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.