Sophos Cloud Optix
Viber, a mobile messenger app that allows users to make phone calls and send text messages and images for free, also gives up plenty of free user data to anyone who wants to listen.
According to researchers from the University of New Haven (UNH) in Connecticut, US, Viber’s app sends user messages in unencrypted form – including photos, videos, doodles, and location images.
All of that rich data from users is also stored unencrypted on Viber’s servers, rather than being deleted immediately, and is accessible without credentials, just a link, the UNH researchers said.
It’s the second cryptographic blunder exposed by UNH researchers in as many weeks – the UNH Cyber Forensics Research & Education Group disclosed on 13 April 2014 that the WhatsApp messenger app also gives away user location data in unencrypted form.
Using a Windows PC as a Wi-Fi access point, the UNH team was able to capture data sent by an Android smartphone with regular traffic sniffing tools, the same approach taken by UNH in their experiments with WhatsApp.
In a video posted on the UNH website and YouTube, the researchers demonstrated capturing messages sent between two test Android phones.
Data can be intercepted by poisoned access points, by malicious users on the same Wi-Fi network, or elsewhere in the network between you and Viber.
In the video, one of the researchers said the unencrypted messages can also be retrieved from Viber’s servers by anyone who knows the message URL:
The data is stored on Viber's server in an unencrypted manner. There is also no authentication method used, so anybody who has access to these links can look at this data, retrieve this data, and do whatever they want with it.
The researchers, Dr Ibrahim Baggili and Jason Moore, said in a blog post that they reported the security flaw directly to Viber before publishing their results but did “not receive a response from them.”
In a statement to CNET, Viber said it would be releasing a fix soon for Android and iOS, and said the issue has been “resolved.”
This issue has already been resolved. It is currently in QA and the fix will be released for Android and submitted to Apple on Monday. As of today we aren't aware of a single user who has been affected by this.
The fact is that an modern online messaging app shouldn’t really be “fixing” this sort of blunder – encryption should have been baked in from the start.
And for all that Viber may have “fixed” its apps to exchange data securely now, it hasn’t said anything about addressing the insecurities that UNH found in Viber’s cloud, where your messages are stored.
The company also lists only Android and iOS as getting updates, leaving users of its numerous other supported platforms in the dark.
That includes users of Viber on the desktop, via Samsung’s Bada ecosystem, on Microsoft’s various mobile operating systems, and on Blackberry and Nokia phones.
With all of this in mind, Viber’s claim that “we aren’t aware of a single user who has been affected by this” rings very hollow.
After all, the company didn’t bother to apologize for not spotting these problems in its own QA – and putting its customers at needless risk.
Leaky mobile apps and data privacy
As is becoming all too common with the new breed of mobile messenger apps – including the Facebook-owned WhatsApp and the photo and video-sharing app Snapchat – security and privacy of user data seems to be an afterthought.
Although both WhatsApp and Viber said they will work to fix their encryption oversights, at times these young companies have exhibited a cavalier and disdainful attitude towards data privacy and security.
Viber, founded in 2010, has had a couple other security incidents in the past year.
In July 2013, a security researcher managed to use pop-up notifications from the Viber app to bypass the lock screen on an Android device.
And in April 2013, Viber’s support page was hacked by the Syrian Electronic Army, although no user data was lost in the attack.
WhatsApp’s founder Jan Koum famously said that “respect for your privacy is coded in our DNA,” after his company was bought out by Facebook for $19 billion in March.
That’s a nice sentiment, but WhatsApp has made repeated cryptographic blunders that left user data vulnerable.
Another rapidly growing messenger app, Snapchat, ignored warnings from security researchers that the app allowed unlimited searches of user phone numbers – a flaw that led to an attacker dumping 4.6 million usernames and phone numbers online after Snapchat dismissed the attack as “theoretical.”
When asked to appear voluntarily before a Congressional hearing on data breaches, Snapchat refused to testify, leading one US Senator to say the company was “hiding something.”
Which is ironic, since hiding user data from prying eyes doesn’t appear to be one of the company’s strengths.
Despite promises it made to users that their private messages would “disappear forever,” Snapchat has acknowledged that user Snaps aren’t deleted right away from their servers or from users’ phones.
These popular messenger apps may be free, but at a cost to privacy for their hundreds of millions of users.
OK, but what should be we use?! Is there a secure alternative out there?
(Please say there is…)
Yeah it is the normal phone service. Don’t download an app to make a call.
Already won one class action suit against the “normal” phone service – in New Haven as a matter of fact – cooperating illegally with FBI and local coppers.
Well, if you’re on an Android device, you’re already sharing info with Google, so its home-grown text messaging system seems like it would be an option. You’ll have to judge for yourself whether it is secure enough or not though. I’ve used a few other apps that haven’t had major security breaches yet, but my guess is that that’s likely mostly due to low product visibility.
When dealing with apps, getting an app from a company that already has a good reputation for infrastructure security (they’re not a company founded on making an app) is often a good idea. But there are likely AppStartups out there that really do put security first.
I know I haven’t really made useful suggestions here, but in this case, it probably should be an official study or your own investigation to discover what the secure alternatives are. After all, it’s your personal information we’re texting about here.
Of course you’re right. It just means that each time I change IM client, I have to schlep my friends and family along with me – which they normally agree to because they’re good sorts, but it is still a pain.
SMS isn’t really an option, as I want to be able to send photos and videos for free to multiple group members. Maybe Google+ is indeed the answer. I had always put it in the same category as F******k, but, as you say, Google already have access to my entire personal life. (I rather like the asterisk-filled spelling of Facebook. I feel it makes the point nicely.)
I will have to investigate. Thanks.
Beyond all the important points above is another really critical one! In order to use Viber, you need to fork over your ENTIRE contact list. You may not realize it but you do. Once done, Viber has that information – for good – on their servers. So everyone your contact list knows, so does everyone else – in the entire world.
That’s how Viber knows how to connect with everyone without needing to set up an account or create a user ID.
But wait, there’s more! Viber has been bought by Rakuten, a 10,000-person Japanese e-commerce giant.
Now what do you think they could possibly do with EVERY contact from EVERY Viber user…?
Yup, it was “free” or so you thought.
i think anyone, including the service providers will be able to collect this information – and anyone that sets up a rogue AP, or any man-in-the middle attacks such as ARP poisoning will be able to capture this unencrypted traffic and view the images and videos received as well as the locations being sent or received by a phone.
If i use viber through a VPN am i protected
I have never used viber. I gave my old mobile number to my brother and he doesn’t use viber. I found out from my neice who is on the other side of the world that someone is using my old number on viber, how is that possible?
Hi, would anyone know if viber addressed this issue already?