Privacy-conscious users of popular mobile messenger app Viber may want to avoid using it, after researchers found what they described as a "serious security flaw."
The researchers from the University of New Haven Cyber Forensics Research and Education Group said Viber does not encrypt data passing through its servers.
"We recently discovered a serious security flaw in the way Viber receives Images, Doodles, Video files as well as the way it sends or receives location data. We also see potential issues in the way Viber stores data in an unencrypted format on their servers with no authentication mechanism for them to be retrieved from a client," Ibrahim Baggili (PhD) and Jason Moore said.
Also, they posted a video on YouTube detailing their findings:
Such a flaw may allow an attacker to intercept the data, they noted.
The researchers said they sent their findings to the Viber team first, but failed to get a response from them.
"It is important to let the people know of these vulnerabilities, therefore, we chose to publish these results and the video in this post," they said.
For their work, the researchers used an HTC One phone running Google's Android version 4.4.2; a Samsung Galaxy S4 with Android version 4.3; and Viber version 184.108.40.2062.
A summary of their test results showed:
Images received are unencrypted Doodles received are unencrypted Videos received are unencrypted Location images sent and received are unencrypted Data is stored on the Viber Amazon Servers in an unencrypted format Data stored on the Viber Amazon Servers is not deleted immediately Data stored on the Viber Amazon Servers can be easily accessed without any authentication mechanism (Simply visiting the intercepted link on a web browser gives us complete access to the data)
"Anyone, including the service providers will be able to collect this information – and anyone that sets up a rogue AP (access point), or any man-in-the middle attacks such as ARP poisoning will be able to capture this unencrypted traffic and view the images and videos received as well as the locations being sent or received by a phone," they said.
Viber promises fix
Security firm Sophos cited a statement from Viber to CNET saying it will release a fix soon for Android and iOS, and said the issue has been "resolved."
But Sophos noted a modern online messaging app should no longer really be "fixing" this sort of blunder as "encryption should have been baked in from the start."
It also said that while Viber lists only Android and iOS as getting updates, users of other platforms like desktop, Samsung's Bada, Microsoft's OSes, and Blackberry and Nokia phones "in the dark." — Joel Locsin/TJD, GMA News