University study with video: Viber user data pretty much wholly unencrypted and easily accessible
Moreover, the activity is stored on Viber’s servers, not deleted, and can be accessed without any credentials according to researchers at the University of New Haven’s Tagliatela College of Engineering, in Connecticut.
Researchers with the Cyber Forensics Research & Education Group were able to grab pictures, videos, even doodles sent through Viber. They set up a Windows PC as a wireless access point and then were able to monitor traffic between two Android smartphones, only one of which was connected to that access point. The other device was on the traditional carrier network. The intercepting and capture of data was happening in real time, as you can see in the video below.
“The data is stored on Viber's server in an unencrypted manner. There is also no authentication method used, so anybody who has access to these links can look at this data, retrieve this data, and do whatever they want with it.”
Dr. Ibrahim Baggili and Jason Moore are the researchers at University of New Haven that brought this issue to light. The duo also noted that WhatsApp apparently does not encrypt user-location data, but that issue was nothing like the gaping hole uncovered with Viber. The team then went back to Viber's server a few days later and found the data was still there, unencrypted and accessible with no authentication or credentials.
Viber has apparently fixed the issues, with updates to the Android and iOS apps on the way, but no word about all the other platforms Viber operates on, Windows, Windows Phone, BlackBerry, BadaOS, and Symbian. The company states that it is not aware of any single user affected by this issue.
In this day and age though, how does anything that is network connected get created without some reasonable type of data protection in mind? It is disappointing to say the least that the company had to fix anything at all.
sources: CNET, Naked Security and University of New Haven
1. 0xFFFF (Posts: 3277; Member since: 16 Apr 2014)
Pretty much everything in the mobile world either has no security or fake security. Being able to sell data on people is a requirement for VC funding as that is the favored "business model".
2. Gawain (Posts: 367; Member since: 15 Apr 2010)
Protected or unprotected user data has nothing to do with the "sellability" of it for purposes of marketing.
3. 0xFFFF (Posts: 3277; Member since: 16 Apr 2014)
This is true unless you are selling information security as part of your value proposition. For example, TextSecure.