Researchers Able To Intercept Unencrypted Viber Data

Researchers at the University of New Haven have exposed a number of security flaws in popular mobile VoIP and instant messaging application Viber that could allow an attacker to obtain images, videos and location data.

The university’s Cyber Forensics Research and Education says such information is stored in an unencrypted format on Viber’s Amazon servers, is not deleted immediately and can be easily accessed without any authentication mechanism.

“Anyone, including the service providers, will be able to collect this information – and anyone that sets up a rogue access point, or any man-in-the middle attacks such as ARP poisoning will be able to capture this unencrypted traffic and view the images and videos received as well as the locations being sent or received by a phone,” the researchers warned.

Viber vulnerability

To test their theory, the group conducted an experiment. They set up a rogue access point using the Windows 7 Wi-Fi miniport adapter feature and were able to capture information sent between two smartphones using tools such as NetworkMiner, Wireshark, and NetWitness.

The researchers say they sent information about the flaw to Viber, but received no response, which is why they have released their findings to the public. It has called on the service to make sure data is encrypted when it is being sent and saved and to require authentication when it is being accessed to prevent more sinister groups from exploiting the vulnerability.

The discovery is a blow for Viber, which was recently acquired by Japanese e-commerce firm Rakuten, and is hoping to better compete with rivals such as WhatsApp and Skype. Earlier this week it launched a refreshed version of its iOS application and released a client for BlackBerry 10.

It’s not the first security scare to affect the service, after the Syrian Electronic Army (SEA) hacked Viber’s support page, with user data, including the IP address, country and device type, compromised although the company insisted that sensitive user data was not taken.

What do you know about the smartphones of 2013? Take our quiz!

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Recent Posts

BT Identifies 2,000 Potential Cyberattacks Signals Every Second

Level of cyberthreats revealed, after BT says it spots 2,000 signals of potential cyberattacks every…

2 days ago

CMA Cites Higher Prices Post Vodafone, Three Merger, Demands Changes

The British competition regulator has provisionally found competition concerns over Vodafone’s planned merger with Three…

2 days ago

Microsoft Cuts Hundreds Of Gaming Staff

Post Activision - Microsoft Gaming confirms it will axe 650 employees, after thousands of job…

2 days ago

SpaceX Polaris Dawn Crew Carry Out First Commercial Spacewalk

Billionaire Jared Isaacman and SpaceX’s Sarah Gillis become first non-professional astronauts to carry out risky…

3 days ago

Government To Classify UK Data Centres As Critical Infrastructure

Data centres in the UK are to designated as Critical National Infrastructure (CNI), alongside energy…

3 days ago

Irish Watchdog Launches Inquiry Into Google AI Model

Google's protection of EU users' personal data when training its AI model, is under investigation…

3 days ago