University study with video: Viber user data pretty much wholly unencrypted and easily accessible

3comments
University study with video: Viber user data pretty much wholly unencrypted and easily accessible
If you are one of Viber’s few hundred million users, your Viber life is an open book, from messages, to pictures and video, to location data, the whole stream is unencrypted, and the server side appears to have no authentication either.

Moreover, the activity is stored on Viber’s servers, not deleted, and can be accessed without any credentials according to researchers at the University of New Haven’s Tagliatela College of Engineering, in Connecticut.

Researchers with the Cyber Forensics Research & Education Group were able to grab pictures, videos, even doodles sent through Viber. They set up a Windows PC as a wireless access point and then were able to monitor traffic between two Android smartphones, only one of which was connected to that access point. The other device was on the traditional carrier network. The intercepting and capture of data was happening in real time, as you can see in the video below.

“The data is stored on Viber's server in an unencrypted manner. There is also no authentication method used, so anybody who has access to these links can look at this data, retrieve this data, and do whatever they want with it.”

Dr. Ibrahim Baggili and Jason Moore are the researchers at University of New Haven that brought this issue to light. The duo also noted that WhatsApp apparently does not encrypt user-location data, but that issue was nothing like the gaping hole uncovered with Viber.  The team then went back to Viber's server a few days later and found the data was still there, unencrypted and accessible with no authentication or credentials.

Viber has apparently fixed the issues, with updates to the Android and iOS apps on the way, but no word about all the other platforms Viber operates on, Windows, Windows Phone, BlackBerry, BadaOS, and Symbian. The company states that it is not aware of any single user affected by this issue.

In this day and age though, how does anything that is network connected get created without some reasonable type of data protection in mind?  It is disappointing to say the least that the company had to fix anything at all.

Video Thumbnail


sources: CNET, Naked Security and University of New Haven
Create a free account and join our vibrant community
Register to enjoy the full PhoneArena experience. Here’s what you get with your PhoneArena account:
  • Access members-only articles
  • Join community discussions
  • Share your own device reviews
  • Build your personal phone library
Register For Free

Recommended Stories

Loading Comments...
FCC OKs Cingular\'s purchase of AT&T Wireless