Viber online chat application sends images, videos and map locations without encryption and stores it online for at least a week in plain, accessible and retrievable format.
Researchers at the University of New Haven's Cyber Forensics Research & Education Group have discovered a flaw in the way Viber, the popular online chat application, transfers and stores images, videos and map locations sent by users. Ibrahim Baggili and Jason Moore discovered the vulnerability Viber app leaves its users with by tweaking the network traffic and setting up a wireless access point for just one of the mobile phones.
Anyone with basic knowledge of hacking can manipulate the network to get all necessary data. Researchers found the data stored without any encryption, which means there is no decoding required to open an image, watching a video or finding a person's location shared through the app. The research team detailed Viber's open transmission in a YouTube video, Tuesday.
"We recently discovered a serious security flaw in the way Viber receives Images, Doodles, Video files as well as the way it sends or receives location data," according to the findings of the study published in the University's official blog, Wednesday. "We also see potential issues in the way Viber stores data in an unencrypted format on their servers with no authentication mechanism for them to be retrieved from a client."
Baggili, an assistant professor of computer science, said the vulnerability was first reported to the Viber security team before publishing online but failed to get any response. However, Viber told CNET that they are currently working on a fix and will soon have it resolved.
"This issue has already been resolved," the company said in a statement. "It is currently in QA [quality assurance testing], and the fix will be released for Android and submitted to Apple on Monday. As of today we aren't aware of a single user who has been affected by this."
The researchers also posted the possible solution that can prevent users' data falling into the wrong hands. Firstly, Viber must encrypt the data when it is being transferred from one user to another and then add encryption and strict authentication mechanism when the information is stored on the servers.
During their research on the Viber security, researchers got their hands on a small, yet signification problem with WhatsApp. As shown in a YouTube video, UNH researchers said the biggest mobile chat application owned by Facebook, which currently has more than 500 million active users, does not encrypt the location image shared between users. The problem was flagged to the WhatsApp team and the company responded with a statement saying the issue will be a part of next update released to all platforms.
HNGN has contacted WhatsApp for more details on the issue. We will update when we get a response.