Viber's Poor Data Security Practices Threaten User Privacy
Last week we reported a critical vulnerability in the world's most popular messaging application WhatsApp, that could expose users' GPS location data to hackers and was discovered by the researchers at UNH Cyber Forensics Research & Education Group.

Same Group of researchers reported new set of vulnerabilities in another most popular messaging application 'VIber'. They claimed that Viber's poor data security practices threaten privacy of its more than 150 million active users.

Cross Platform messaging app Viber allows registered users to share text messages, images, doodles, GPS Location and videos with each other, along with its popular free voice calling feature which is available for Android, iOS, Windows Phone, Blackberry and Desktops as well.

The researchers found that users' data stored on the Viber Amazon Servers including images and videos are stored in an unencrypted form that could be easily accessed without any authentication i.e.which gives leverage to an attacker to simply visiting the intercepted link on a website for the complete access to the data.
Viber's Poor Data Security Practices Threaten User Privacy
In a video, the researchers demonstrated that viber is not encrypting any data such as images, doodles, videos and location images while exchanging it with their Amazon server, that allows an attacker to capture this unencrypted traffic with man-in-the middle attack.
"The main issue is that the above-mentioned data is unencrypted, leaving it open for interception through either a Rogue AP, or any man-in-the middle attacks," the researcher wrote in the blog post.

An attacker can use any network testing tool such as NetworkMiner, Wireshark, and NetWitness to capture the traffic during man-in-the-middle attack.
"Anyone, including the service providers will be able to collect this information – and anyone that sets up a rogue AP, or any man-in-the middle attacks such as ARP poisoning will be able to capture this unencrypted traffic and view the images and videos received as well as the locations being sent or received by a phone." Professor Ibrahim Baggili, and Jason Moore said.
In Whitehat style, researchers had already reported the vulnerabilities to the Viber team before publishing their findings to the blog, but haven't received any response yet.

"It is important to let the people know of these vulnerabilities, therefore, we chose to publish these results and the video in this post," they wrote.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.