Researchers Able To Intercept Unencrypted Viber Data

Researchers at the University of New Haven have exposed a number of security flaws in popular mobile VoIP and instant messaging application Viber that could allow an attacker to obtain images, videos and location data.

The university’s Cyber Forensics Research and Education says such information is stored in an unencrypted format on Viber’s Amazon servers, is not deleted immediately and can be easily accessed without any authentication mechanism.

“Anyone, including the service providers, will be able to collect this information – and anyone that sets up a rogue access point, or any man-in-the middle attacks such as ARP poisoning will be able to capture this unencrypted traffic and view the images and videos received as well as the locations being sent or received by a phone,” the researchers warned.

Viber vulnerability

To test their theory, the group conducted an experiment. They set up a rogue access point using the Windows 7 Wi-Fi miniport adapter feature and were able to capture information sent between two smartphones using tools such as NetworkMiner, Wireshark, and NetWitness.

The researchers say they sent information about the flaw to Viber, but received no response, which is why they have released their findings to the public. It has called on the service to make sure data is encrypted when it is being sent and saved and to require authentication when it is being accessed to prevent more sinister groups from exploiting the vulnerability.

The discovery is a blow for Viber, which was recently acquired by Japanese e-commerce firm Rakuten, and is hoping to better compete with rivals such as WhatsApp and Skype. Earlier this week it launched a refreshed version of its iOS application and released a client for BlackBerry 10.

It’s not the first security scare to affect the service, after the Syrian Electronic Army (SEA) hacked Viber’s support page, with user data, including the IP address, country and device type, compromised although the company insisted that sensitive user data was not taken.

What do you know about the smartphones of 2013? Take our quiz!

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Recent Posts

Hackers Target Australia’s Largest Pension Funds

Multiple pension funds in Australia have been hit in co-ordinated hacking attacks, and unfortunately customers…

19 hours ago

Pentagon Confirms Investigation Of Signal Use By Pete Hegseth

Inspector General at the Pentagon confirms investigation into the use of Signal app by US…

20 hours ago

Amazon Resumes Drone Deliveries In US

After a two month hiatus following crashes of a new drone model, Amazon has resumed…

22 hours ago

Amazon Joins Bidders To Acquire TikTok In US

But will Beijing or ByteDance allow sale? Amazon joins potential bidders for TikTok in US,…

2 days ago

Elon Musk Dismisses Reports Of Imminent Departure From DOGE

Elon Musk dismisses report that Trump told cabinet that he expects Musk to leave his…

2 days ago